TippingPoint Zero Day Initiative

Apple WebKit dir Attribute Freeing Dangling Object Pointer Vulnerability

ZDI-09-033: June 8th, 2009


Affected Vendors

Affected Products

Vulnerability Details

This vulnerability allows attackers to execute arbitrary code on vulnerable software utilizing the Apple WebKit library. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.

The specific flaw exists when the document.body element contains a specific XML container containing various elements supporting the 'dir' attribute. During the destruction of this element, if the rendering object responsible for the element is being removed, the application will then make a call to a method for an object that doesn't exist which can lead to code execution under the context of the current user.

Vendor Response

Apple has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2009-02-09 - Vulnerability reported to vendor
    2009-06-08 - Coordinated public release of advisory


This vulnerability was discovered by:
    wushi&ling of team509