Details of VAR-201003-0467

ID

VAR-201003-0467

CVE

CVE-2010-1120

TITLE

Apple Mac OS X Run on Safari Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2010-001444

DESCRIPTION

Unspecified vulnerability in Safari 4 on Apple Mac OS X 10.6 allows remote attackers to execute arbitrary code via unknown vectors, as demonstrated by Charlie Miller during a Pwn2Own competition at CanSecWest 2010. User interaction is required in that a target must open a malicious file or visit a malicious page.The specific flaw exists within the routine TType1ParsingContext::SpecialEncoding() defined in libFontParser.dylib. While parsing glyphs from a PDF document, a malformed offset greater than 0x400 can result in a heap corruption which can be leveraged by an attacker to execute arbitrary code under the context of the current user. Apple Safari is a web browser software. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4131 -- Disclosure Timeline: 2010-03-26 - Vulnerability reported to vendor 2010-04-14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Charlie Miller -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi. This can be exploited to corrupt memory e.g. via a specially crafted PDF file opened in Preview. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in Mac OS X Server 10.5, Mac OS X 10.5, Mac OS X 10.6, and Mac OS X Server 10.6. SOLUTION: Apply Security Update 2010-003. Security Update 2010-003 (Snow Leopard): http://support.apple.com/kb/DL1029 Security Update 2010-003 (Leopard-Client): http://support.apple.com/kb/DL1027 Security Update 2010-003 (Leopard-Server): http://support.apple.com/kb/DL1028 PROVIDED AND/OR DISCOVERED BY: Charlie Miller, reported via ZDI. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4131 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-076/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2010-1120 // JVNDB: JVNDB-2010-001444 // ZDI: ZDI-10-076 // BID: 38955 // VULHUB: VHN-43725 // PACKETSTORM: 88454 // PACKETSTORM: 88431

AFFECTED PRODUCTS

vendor:	apple	model:	safari	scope:	eq	version:	4.0	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.5.8	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.6.3	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.5.8	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.6.3	Trust: 0.8
vendor:	apple	model:	safari	scope:	eq	version:	4	Trust: 0.8
vendor:	apple	model:	preview	scope:	-	version:	-	Trust: 0.7
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.8	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.7	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.8	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.7	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5	Trust: 0.3

sources: ZDI: ZDI-10-076 // BID: 38955 // JVNDB: JVNDB-2010-001444 // CNNVD: CNNVD-201003-385 // NVD: CVE-2010-1120

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2010-1120
value:	HIGH
Trust: 1.0
NVD:	CVE-2010-1120
value:	HIGH
Trust: 0.8
ZDI:	CVE-2010-1120
value:	HIGH
Trust: 0.7
CNNVD:	CNNVD-201003-385
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-43725
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2010-1120
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.5
VULHUB:	VHN-43725
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: ZDI: ZDI-10-076 // VULHUB: VHN-43725 // JVNDB: JVNDB-2010-001444 // CNNVD: CNNVD-201003-385 // NVD: CVE-2010-1120

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.9

sources: VULHUB: VHN-43725 // JVNDB: JVNDB-2010-001444 // NVD: CVE-2010-1120

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 88454 // CNNVD: CNNVD-201003-385

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201003-385

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-001444

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-43725

PATCH

title:	HT4131	url:	http://support.apple.com/kb/HT4131	Trust: 1.5
title:	HT4131	url:	http://support.apple.com/kb/HT4131?viewlocale=ja_JP	Trust: 0.8

sources: ZDI: ZDI-10-076 // JVNDB: JVNDB-2010-001444

EXTERNAL IDS

db:	NVD	id:	CVE-2010-1120	Trust: 3.6
db:	ZDI	id:	ZDI-10-076	Trust: 0.9
db:	JVNDB	id:	JVNDB-2010-001444	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-760	Trust: 0.7
db:	CNNVD	id:	CNNVD-201003-385	Trust: 0.6
db:	BID	id:	38955	Trust: 0.4
db:	PACKETSTORM	id:	88454	Trust: 0.2
db:	SECUNIA	id:	39426	Trust: 0.2
db:	VULHUB	id:	VHN-43725	Trust: 0.1
db:	PACKETSTORM	id:	88431	Trust: 0.1

sources: ZDI: ZDI-10-076 // VULHUB: VHN-43725 // BID: 38955 // JVNDB: JVNDB-2010-001444 // PACKETSTORM: 88454 // PACKETSTORM: 88431 // CNNVD: CNNVD-201003-385 // NVD: CVE-2010-1120

REFERENCES

url:	http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010	Trust: 2.0
url:	http://news.cnet.com/8301-27080_3-20001126-245.html	Trust: 2.0
url:	http://twitter.com/thezdi/statuses/11002504493	Trust: 1.7
url:	http://support.apple.com/kb/ht4131	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1120	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-1120	Trust: 0.8
url:	http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1506830,00.html?track=sy160&utm_source=feedburner&utm_medium=feed&utm_campaign=feed%3a+techtarget%2fsearchsecurity%2fsecuritywire+%2	Trust: 0.3
url:	http://www.apple.com/safari/	Trust: 0.3
url:	/archive/1/510757	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/disclosure_policy/	Trust: 0.1
url:	http://twitter.com/thezdi	Trust: 0.1
url:	http://www.zerodayinitiative.com/advisories/zdi-10-076	Trust: 0.1
url:	http://www.tippingpoint.com	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2010-1120	Trust: 0.1
url:	http://www.zerodayinitiative.com	Trust: 0.1
url:	http://www.zerodayinitiative.com/advisories/zdi-10-076/	Trust: 0.1
url:	http://secunia.com/advisories/39426/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.1
url:	http://support.apple.com/kb/dl1028	Trust: 0.1
url:	http://support.apple.com/kb/dl1027	Trust: 0.1
url:	http://support.apple.com/kb/dl1029	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1

CREDITS

Charlie Miller

Trust: 0.7

sources: ZDI: ZDI-10-076

SOURCES

db:	ZDI	id:	ZDI-10-076
db:	VULHUB	id:	VHN-43725
db:	BID	id:	38955
db:	JVNDB	id:	JVNDB-2010-001444
db:	PACKETSTORM	id:	88454
db:	PACKETSTORM	id:	88431
db:	CNNVD	id:	CNNVD-201003-385
db:	NVD	id:	CVE-2010-1120

LAST UPDATE DATE

2025-04-11T23:06:03.063000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-10-076	date:	2010-04-14T00:00:00
db:	VULHUB	id:	VHN-43725	date:	2010-06-23T00:00:00
db:	BID	id:	38955	date:	2010-04-15T18:54:00
db:	JVNDB	id:	JVNDB-2010-001444	date:	2010-05-18T00:00:00
db:	CNNVD	id:	CNNVD-201003-385	date:	2010-03-25T00:00:00
db:	NVD	id:	CVE-2010-1120	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-10-076	date:	2010-04-14T00:00:00
db:	VULHUB	id:	VHN-43725	date:	2010-03-25T00:00:00
db:	BID	id:	38955	date:	2010-03-24T00:00:00
db:	JVNDB	id:	JVNDB-2010-001444	date:	2010-05-18T00:00:00
db:	PACKETSTORM	id:	88454	date:	2010-04-16T02:38:47
db:	PACKETSTORM	id:	88431	date:	2010-04-15T05:58:39
db:	CNNVD	id:	CNNVD-201003-385	date:	2010-03-25T00:00:00
db:	NVD	id:	CVE-2010-1120	date:	2010-03-25T21:00:01.093