Apple Safari Button Rendering Code Execution

August 25, 2010

Safari is a graphical web browser developed by Apple and included as part of the Mac OS X operating system. The browser is capable of processing HTML, images, scripting languages, and various other popular Internet specifications such as XHTML. Its rendering engine, called WebKit, is also running in the standard browsers of several mobile phone platforms, including the iPhone OS, Google Android, Nokia S60 and Palm WebOS. WebKit has a development toolkit which allows third party developers to build applications that use Internet technologies such as HTML, HTTP, and others. WebKit provides WebCore, an HTML parser, and JavaScriptCore, which is a JavaScript engine. WebKit also supports styling using CSS.

Cascading Style Sheets (CSS) is a style sheet language used to describe the presentation semantics (the look and formatting) of a document written in a markup language. Its most common application is to style web pages written in HTML and XHTML, but the language can also be applied to any kind of XML document, including SVG and XUL. CSS can define color, font, text alignment, size, borders, spacing, layout and many other typographic characteristics. It can do so independently for on-screen and printed views. One of these characteristics is the first-letter pseudo-element which affects the first character of a paragraph. The following example uses the first-letter pseudo-element to change the color of the first letter of the paragraph on the body:

 < html > < head > < style type="text/css" > p:first-letter { color:#ff0000; font-size:xx-large; display:none; } < / style > < / head > < body > < p >The first letter of this text is red! < / p > < / body > < / html > 

A design error exists in Safari WebKit. The vulnerability is due to an implementation error when rendering elements with a specific CSS display property for the first-letter set. Remote attackers could exploit this vulnerability by persuading a target user to visit a maliciously crafted web page. Successful exploitation would result in code execution with the privileges of the logged in user. In case of an unsuccessful attack, the associated browser tab will terminate abnormally and then the browser will recover it.

SonicWALL UTM team has researched this vulnerability, and created the following IPS signatures for the public exploits:

  • 5563 Apple Safari Button Rendering Code Execution PoC 1
  • 5564 Apple Safari Button Rendering Code Execution PoC 2

The CVE identifier for this vulnerability is CVE-2010-1392.