ID

VAR-201103-0250

CVE

CVE-2011-0149

TITLE

plural Apple Product WebKit Vulnerable to arbitrary code execution

DESCRIPTION

WebKit, as used in Apple iTunes before 10.2 on Windows, does not properly parse HTML elements associated with document namespaces, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to a "dangling pointer" and iTunes Store browsing, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-02-1. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple's Webkit Library. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within how the application parses a specially formatted HTML file. When parsing a particular element that also defines the namespace of the document, the library will call a dangling pointer which is consistent but unmapped. Due to this being unmapped, if an attacker can get code loaded at that address this can can lead to code execution under the context of the application. WebKit is prone to multiple memory-corruption vulnerabilities. An attacker may exploit these issues by enticing victims into viewing a malicious webpage. This BID is being retired. The following individual records exists to better document the issues: 46684 WebKit CVE-2011-0111 Unspecified Memory Corruption Vulnerability 46686 WebKit CVE-2011-0117 Unspecified Memory Corruption Vulnerability 46687 WebKit CVE-2011-0118 Unspecified Memory Corruption Vulnerability 46688 WebKit CVE-2011-0119 Unspecified Memory Corruption Vulnerability 46689 WebKit CVE-2011-0141 Unspecified Memory Corruption Vulnerability 46690 WebKit CVE-2011-0136 Unspecified Memory Corruption Vulnerability 46691 WebKit CVE-2011-0114 Unspecified Memory Corruption Vulnerability 46692 WebKit CVE-2011-0128 Unspecified Memory Corruption Vulnerability 46693 WebKit CVE-2011-0129 Unspecified Memory Corruption Vulnerability 46694 WebKit CVE-2011-0120 Unspecified Memory Corruption Vulnerability 46695 WebKit CVE-2011-0143 Unspecified Memory Corruption Vulnerability 46696 WebKit CVE-2011-0121 Unspecified Memory Corruption Vulnerability 46698 WebKit CVE-2011-0123 Unspecified Memory Corruption Vulnerability 46699 WebKit CVE-2011-0144 Unspecified Memory Corruption Vulnerability 46700 WebKit CVE-2011-0130 Unspecified Memory Corruption Vulnerability 46701 WebKit CVE-2011-0125 Unspecified Memory Corruption Vulnerability 46702 WebKit CVE-2011-0147 Unspecified Memory Corruption Vulnerability 46703 WebKit CVE-2011-0164 Unspecified Memory Corruption Vulnerability 46704 WebKit CVE-2011-0131 Unspecified Memory Corruption Vulnerability 46705 WebKit CVE-2011-0127 Unspecified Memory Corruption Vulnerability 46706 WebKit CVE-2011-0142 Unspecified Memory Corruption Vulnerability 46707 WebKit CVE-2011-0137 Unspecified Memory Corruption Vulnerability 46708 WebKit CVE-2011-0148 Unspecified Memory Corruption Vulnerability 46709 WebKit CVE-2011-0135 Unspecified Memory Corruption Vulnerability 46710 WebKit CVE-2011-0145 Unspecified Memory Corruption Vulnerability 46711 WebKit CVE-2011-0134 Unspecified Memory Corruption Vulnerability 46712 WebKit CVE-2011-0139 Unspecified Memory Corruption Vulnerability 46713 WebKit CVE-2011-0138 Unspecified Memory Corruption Vulnerability 46714 WebKit CVE-2011-0140 Unspecified Memory Corruption Vulnerability 46715 WebKit CVE-2011-0146 Unspecified Memory Corruption Vulnerability 46716 WebKit CVE-2011-0165 Unspecified Memory Corruption Vulnerability 46717 WebKit CVE-2011-0150 Unspecified Memory Corruption Vulnerability 46718 WebKit CVE-2011-0152 Unspecified Memory Corruption Vulnerability 46719 WebKit CVE-2011-0151 Unspecified Memory Corruption Vulnerability 46720 WebKit CVE-2011-0153 Unspecified Memory Corruption Vulnerability 46721 WebKit CVE-2011-0155 Unspecified Memory Corruption Vulnerability 46722 WebKit CVE-2011-0168 Unspecified Memory Corruption Vulnerability 46723 WebKit CVE-2011-0122 Unspecified Memory Corruption Vulnerability 46724 WebKit CVE-2011-0156 Unspecified Memory Corruption Vulnerability 46725 WebKit CVE-2011-0124 Unspecified Memory Corruption Vulnerability 46726 WebKit CVE-2011-0112 Unspecified Memory Corruption Vulnerability 46727 WebKit CVE-2011-0126 Unspecified Memory Corruption Vulnerability 46728 WebKit CVE-2011-0113 Unspecified Memory Corruption Vulnerability 46744 WebKit CVE-2011-0149 'HTMLBRElement' Style Memory Corruption Vulnerability 46745 WebKit CVE-2011-0154 Javascript 'sort()' Method Memory Corruption Vulnerability 46746 WebKit Range Object Remote Code Execution Vulnerability 46747 WebKit CVE-2011-0116 'setOuterText()' Method Memory Corruption Remote Code Execution Vulnerability 46748 WebKit 'Runin' Box CVE-2011-0132 Use-After-Free Memory Corruption Vulnerability 46749 WebKit CVE-2011-0133 Glyph Data Memory Corruption Vulnerability. NOTE: This issue was previously discussed in BID 46654 (WebKit Multiple Memory Corruption Vulnerabilities) but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ZDI-11-100: Apple Webkit Root HTMLBRElement Style Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-100 March 2, 2011 -- CVE ID: CVE-2011-0149 -- CVSS: 9, (AV:N/AC:M/Au:N/C:C/I:P/A:C) -- Affected Vendors: Apple -- Affected Products: Apple WebKit -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10884. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4554 -- Disclosure Timeline: 2010-10-18 - Vulnerability reported to vendor 2011-03-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * wushi of team509 -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Apple iTunes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43582 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43582/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43582 RELEASE DATE: 2011-03-03 DISCUSS ADVISORY: http://secunia.com/advisories/43582/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43582/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43582 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple iTunes, which can be exploited by malicious people to compromise a user's system. 1) Some errors exists due to the use of a vulnerable libpng library. For more information: SA40302 2) An array indexing error in the CoreGraphics library (ImageIO) when processing the International Color Consortium (ICC) profile within a JPEG image can be exploited to corrupt heap-based memory. 3) An error in the libTIFF library when handling JPEG encoded TIFF images can be exploited to cause a buffer overflow. 4) A boundary error in the libTIFF library when handling CCITT Group 4 encoded TIFF images. For more information: SA43593 5) A double free error in the libxml library when handling XPath expressions. For more information: SA42721 6) An error exists in the libxml library when traversing the XPath. 8) An error in the WebKit component when elements are being appended to the DOM tree during the display of an error message can be exploited to access a freed element via a specially crafted document. 9) An error in the WebKit component when handling a DOM level 2 range object can be exploited to corrupt memory by manipulating the DOM via an event listener. 10) A use-after-free error in the "setOuterText()" method in the htmlelement library (WebKit) when tracking DOM manipulations can be exploited to dereference freed memory. 11) A use-after-free error in the WebKit component when promoting a run-in element can be exploited to dereference freed memory. 12) An error in the WebKit component when performing layout operations for a floating block of a pseudo-element can be exploited to dereference uninitialised glyph data. 14) An error in the Javascript array "sort()" method (WebKit) can be exploited to manipulate elements outside of the array's boundary. SOLUTION: Update to version 10.2. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2) Andrzej Dyjak via iDefense VCP 3, 4) Reported by the vendor 8, 11 - 13) wushi of team509 via ZDI 9) J23 via ZDI 10, 14) An anonymous person via ZDI 11) Jose A. Vazquez via ZDI The vendor also credits: 5) Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences 6) Bui Quang Minh, Bkis 8) kuzcc 9) Emil A Eklund, Google Inc 13) SkyLined, Google Chrome Security Team The vendor provides a bundled list of credits for vulnerabilities in #7: Sergey Glazunov Andreas Kling, Nokia Yuzo Fujishima, Google Inc. Abhishek Arya (Inferno), Google, Inc. Mihai Parparita, Google, Inc. Emil A Eklund, Google, Inc. Michal Zalewski, Google, Inc. Chris Evans, Google Chrome Security Team SkyLined, Google Chrome Security Team Chris Rohlf, Matasano Security Aki Helin, OUSPG Dirk Schulze Slawomir Blazek David Bloom Famlam Jan Tosovsky Michael Gundlach ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4554 iDefense VCP: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=897 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-095/ http://www.zerodayinitiative.com/advisories/ZDI-11-096/ http://www.zerodayinitiative.com/advisories/ZDI-11-097/ http://www.zerodayinitiative.com/advisories/ZDI-11-098/ http://www.zerodayinitiative.com/advisories/ZDI-11-099/ http://www.zerodayinitiative.com/advisories/ZDI-11-100/ http://www.zerodayinitiative.com/advisories/ZDI-11-101/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Unknown

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

wushi of team509

SOURCES

LAST UPDATE DATE

2025-04-11T22:17:19.735000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE