var-201003-1092
Vulnerability from variot
Integer overflow in ColorSync in Apple Safari before 4.0.5 on Windows, and iTunes before 9.1, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image with a crafted color profile that triggers a heap-based buffer overflow. Safari is prone to an integer overflow vulnerability. Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application. Failed attacks will likely cause denial-of-service conditions. This issue was previously documented in BID 38671 (Apple Safari Prior to 4.0.5 Multiple Security Vulnerabilities) but has been given its own record to better document it. These issues affect versions prior to Safari 4.0.5 running on Apple Mac OS X, Windows 7, XP and Vista. NOTE: This BID is being retired because the following individual records have been created to better document issues previously mentioned in this BID: 38674 Apple Safari Prior to 4.0.5 Integer Overflow Vulnerability 35451 LibTIFF 'LZWDecodeCompat()' Remote Buffer Underflow Vulnerability 38676 Apple Safari BMP Image Uninitialized Memory Information Disclosure Vulnerability 38677 Apple Safari TIFF Image Uninitialized Memory Information Disclosure Vulnerability 38673 Apple Safari ImageIO TIFF Image Remote Code Execution Vulnerability 38675 Apple Safari Prior to 4.0.5 Configuration Bypass Weakness 38683 Apple Safari URL Schemes Handling Remote Code Execution Vulnerability 38684 WebKit CSS 'format()' Arguments Memory Corruption Vulnerability 38687 WebKit Object Element Fallback Memory Corruption Vulnerability 38688 WebKit XML Document Parsing Memory Corruption Vulnerability 38689 WebKit Right-to-Left Displayed Text Handling Memory Corruption Vulnerability 38685 WebKit Nested HTML Tags Use-After-Free Error Remote Code Execution Vulnerability 38692 WebKit Cross-Origin Stylesheet Request Information Disclosure Vulnerability 38686 WebKit HTML Elements Callback Use-After-Free Error Remote Code Execution Vulnerability 38690 WebKit CSS Display Use-After-Free Error Remote Code Execution Vulnerability 38691 WebKit HTML Image Element Handling Memory Corruption Vulnerability. ----------------------------------------------------------------------
Secunia CSI + Microsoft SCCM
= Extensive Patch Management
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
TITLE: Apple iTunes Multiple Vulnerabilities
SECUNIA ADVISORY ID: SA39135
VERIFY ADVISORY: http://secunia.com/advisories/39135/
DESCRIPTION: Some vulnerabilities have been reported in Apple iTunes, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or compromise a user's system.
For more information see vulnerabilities #1 through #4 and #9 in: SA38932
2) An error when processing MP4 files can be exploited to trigger the execution of an infinite loop and render the application unusable after its restart via e.g. a specially crafted podcast.
3) During installation iTunes for Windows installs and executes certain files in a directory in the ""%ALLUSERSPROFILE%\Application Data\" path. As standard permissions allows any user to write files to the path, this can be exploited to either create malicious files with specific names before installation or malicious libraries after installation, allowing execution of arbitrary code with SYSTEM privileges.
SOLUTION: Update to version 9.1.
PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sojeong Hong, Sourcefire VRT 3) Jason Geffner, NGSSoftware
CHANGELOG: 2010-03-31: Added additional information provided by NGSSoftware.
ORIGINAL ADVISORY: http://support.apple.com/kb/HT4105
OTHER REFERENCES: SA38932: http://secunia.com/advisories/38932/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. BACKGROUND
"iTunes is a free application for Mac or PC. It organizes and plays digital music and video on computers. It syncs all media files with iPod, iPhone, and Apple TV." from Apple.com
II. DESCRIPTION
VUPEN Vulnerability Research Team discovered a vulnerability in Apple iTunes. Exploits - PoCs & Binary Analysis
In-depth binary analysis of the vulnerability and a proof-of-concept have been released by VUPEN through the VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits
V. SOLUTION
Upgrade to Apple iTunes 9.1: http://www.apple.com/itunes/download/
VI. ABOUT VUPEN Security
VUPEN is a leading IT security research company providing vulnerability management and security intelligence solutions which enable enterprises and institutions to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks.
Governmental and federal agencies, and global enterprises in the financial services, insurance, manufacturing and technology industries rely on VUPEN to improve their security, prioritize resources, cut time and costs, and stay ahead of the latest threats.
- VUPEN Vulnerability Notification Service:
http://www.vupen.com/english/services
- VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/exploits
VIII. REFERENCES
http://www.vupen.com/english/advisories/2010/0745 http://support.apple.com/kb/HT4105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0040
IX. DISCLOSURE TIMELINE
2009-12-03 - Vendor notified 2009-12-07 - Vendor response 2010-01-26 - Status update received 2010-03-04 - Status update received 2010-03-12 - Vulnerability Fixed in Safari v4.0.5 2010-03-31 - Vulnerability Fixed in iTunes v9.1
. As of February 2010, Safari was the fourth most widely used browser, with 4.45% of the worldwide usage share of web browsers according to Net Application."
II.
VUPEN also provides in-depth binary analysis of vulnerabilities and commercial-grade exploit codes to help security vendors, governments, and corporations to evaluate and qualify risks, and protect their infrastructures and assets. iDefense Security Advisory 03.11.10 http://labs.idefense.com/intelligence/vulnerabilities/ Mar 11, 2010
I. BACKGROUND
WebKit is an open source web browser engine. It is currently used by Apple Inc.'s Safari browser, as well as by Google's Chrome browser. For more information, see the vendor's site at the following link.
http://webkit.org/
II.
The vulnerability occurs when a certain property of an HTML element is reset via JavaScript code. When this occurs, a C++ object is incorrectly accessed after it has been freed. This results in an attacker controlled value being used as a C++ VTABLE, which leads to the execution of arbitrary code.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user viewing the Webpage. To exploit this vulnerability, a targeted user must load a malicious Webpage created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. After the user visits the malicious Webpage, no further user interaction is needed.
Exploitation of this vulnerability is relatively simple if a heap spray technique is used to control large portions of heap memory. It is also trivial for an attacker to reallocate the chunk of freed memory and populate it with controlled values. This allows an attacker to control a C++ VTABLE, which leads to code execution. As such, iDefense considers this vulnerability to be highly exploitable.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Google Chrome 3.0.195.38 and Safari 4.0.4. Previous versions are suspected to be vulnerable.
V. WORKAROUND
The vulnerability is present in the JavaScript engine, so disabling JavaScript is an effective workaround. This can be performed via the command line with Google Chrome, and the Preferences menu in Safari.
VI. VENDOR RESPONSE
Apple Inc. has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown. http://www.apple.com/safari/download
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-0040 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE
12/15/2009 Initial Vendor Notification 12/15/2009 Initial Vendor Reply 03/11/2010 Coordinated Public Disclosure
IX. CREDIT
This vulnerability was reported to iDefense by wushi&Z of team509.
Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2010 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201003-1092",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "safari",
"scope": "eq",
"trust": 1.9,
"vendor": "apple",
"version": "4.0.1"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.9,
"vendor": "apple",
"version": "4.0.2"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.9,
"vendor": "apple",
"version": "4.0.3"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "4.0.0b"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "4.0"
},
{
"model": "safari",
"scope": "lte",
"trust": 1.0,
"vendor": "apple",
"version": "4.0.4"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.9,
"vendor": "apple",
"version": "4.0.4"
},
{
"model": "itunes",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "9.1"
},
{
"model": "safari",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "4.0.5"
},
{
"model": "safari for windows",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "4.0.4"
},
{
"model": "safari for windows",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "4.0.3"
},
{
"model": "safari for windows",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "4.0.2"
},
{
"model": "safari for windows",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "4"
},
{
"model": "safari for windows",
"scope": "ne",
"trust": 0.6,
"vendor": "apple",
"version": "4.0.5"
},
{
"model": "itunes",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.0.2"
},
{
"model": "itunes",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.0.1.8"
},
{
"model": "itunes",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.0.1"
},
{
"model": "itunes",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "9.0"
},
{
"model": "itunes",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.2"
},
{
"model": "itunes",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.1"
},
{
"model": "itunes",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.0.2.20"
},
{
"model": "itunes",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "8.0"
},
{
"model": "itunes",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "9.1"
},
{
"model": "safari",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "4.0.5"
},
{
"model": "safari beta",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "4"
}
],
"sources": [
{
"db": "BID",
"id": "38674"
},
{
"db": "BID",
"id": "38671"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001180"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-179"
},
{
"db": "NVD",
"id": "CVE-2010-0040"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:apple:itunes",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:apple:safari",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001180"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Matthew JurczykBilly RiosRobert Swiecki\u203b robert@swiecki.net\u203bwushi\u203b wooshi@gmail.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201003-179"
}
],
"trust": 0.6
},
"cve": "CVE-2010-0040",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "CVE-2010-0040",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-42645",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2010-0040",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2010-0040",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201003-179",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-42645",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42645"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001180"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-179"
},
{
"db": "NVD",
"id": "CVE-2010-0040"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Integer overflow in ColorSync in Apple Safari before 4.0.5 on Windows, and iTunes before 9.1, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image with a crafted color profile that triggers a heap-based buffer overflow. Safari is prone to an integer overflow vulnerability. \nSuccessfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application. Failed attacks will likely cause denial-of-service conditions. \nThis issue was previously documented in BID 38671 (Apple Safari Prior to 4.0.5 Multiple Security Vulnerabilities) but has been given its own record to better document it. These issues affect versions prior to Safari 4.0.5 running on Apple Mac OS X, Windows 7, XP and Vista. \nNOTE: This BID is being retired because the following individual records have been created to better document issues previously mentioned in this BID:\n38674 Apple Safari Prior to 4.0.5 Integer Overflow Vulnerability\n35451 LibTIFF \u0027LZWDecodeCompat()\u0027 Remote Buffer Underflow Vulnerability\n38676 Apple Safari BMP Image Uninitialized Memory Information Disclosure Vulnerability\n38677 Apple Safari TIFF Image Uninitialized Memory Information Disclosure Vulnerability\n38673 Apple Safari ImageIO TIFF Image Remote Code Execution Vulnerability\n38675 Apple Safari Prior to 4.0.5 Configuration Bypass Weakness\n38683 Apple Safari URL Schemes Handling Remote Code Execution Vulnerability\n38684 WebKit CSS \u0027format()\u0027 Arguments Memory Corruption Vulnerability\n38687 WebKit Object Element Fallback Memory Corruption Vulnerability\n38688 WebKit XML Document Parsing Memory Corruption Vulnerability\n38689 WebKit Right-to-Left Displayed Text Handling Memory Corruption Vulnerability\n38685 WebKit Nested HTML Tags Use-After-Free Error Remote Code Execution Vulnerability\n38692 WebKit Cross-Origin Stylesheet Request Information Disclosure Vulnerability\n38686 WebKit HTML Elements Callback Use-After-Free Error Remote Code Execution Vulnerability\n38690 WebKit CSS Display Use-After-Free Error Remote Code Execution Vulnerability\n38691 WebKit HTML Image Element Handling Memory Corruption Vulnerability. ----------------------------------------------------------------------\n\n\n Secunia CSI\n+ Microsoft SCCM\n-----------------------\n= Extensive Patch Management\n\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\n\n----------------------------------------------------------------------\n\nTITLE:\nApple iTunes Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA39135\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/39135/\n\nDESCRIPTION:\nSome vulnerabilities have been reported in Apple iTunes, which can be\nexploited by malicious, local users to gain escalated privileges and\nby malicious people to disclose sensitive information, cause a DoS\n(Denial of Service), or compromise a user\u0027s system. \n\nFor more information see vulnerabilities #1 through #4 and #9 in:\nSA38932\n\n2) An error when processing MP4 files can be exploited to trigger the\nexecution of an infinite loop and render the application unusable\nafter its restart via e.g. a specially crafted podcast. \n\n3) During installation iTunes for Windows installs and executes\ncertain files in a directory in the \"\"%ALLUSERSPROFILE%\\Application\nData\\\" path. As standard permissions allows any user to write files\nto the path, this can be exploited to either create malicious files\nwith specific names before installation or malicious libraries after\ninstallation, allowing execution of arbitrary code with SYSTEM\nprivileges. \n\nSOLUTION:\nUpdate to version 9.1. \n\nPROVIDED AND/OR DISCOVERED BY:\n2) The vendor credits Sojeong Hong, Sourcefire VRT\n3) Jason Geffner, NGSSoftware\n\nCHANGELOG:\n2010-03-31: Added additional information provided by NGSSoftware. \n\nORIGINAL ADVISORY:\nhttp://support.apple.com/kb/HT4105\n\nOTHER REFERENCES:\nSA38932:\nhttp://secunia.com/advisories/38932/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. BACKGROUND\n---------------------\n\n\"iTunes is a free application for Mac or PC. It organizes and plays\ndigital music and video on computers. It syncs all media files\nwith iPod, iPhone, and Apple TV.\" from Apple.com\n\n\nII. DESCRIPTION\n\n--------------------- \n\nVUPEN Vulnerability Research Team discovered a vulnerability in\nApple iTunes. Exploits - PoCs \u0026 Binary Analysis\n----------------------------------------\n\nIn-depth binary analysis of the vulnerability and a proof-of-concept\nhave been released by VUPEN through the VUPEN Binary Analysis\n\u0026 Exploits Service :\n\nhttp://www.vupen.com/exploits\n\n\nV. SOLUTION\n\n---------------- \n\nUpgrade to Apple iTunes 9.1:\nhttp://www.apple.com/itunes/download/\n\n\nVI. ABOUT VUPEN Security\n---------------------------------\n\nVUPEN is a leading IT security research company providing vulnerability\nmanagement and security intelligence solutions which enable enterprises\nand institutions to eliminate vulnerabilities before they can be exploited,\nensure security policy compliance and meaningfully measure and manage risks. \n\nGovernmental and federal agencies, and global enterprises in the financial\nservices, insurance, manufacturing and technology industries rely on VUPEN\nto improve their security, prioritize resources, cut time and costs, and\nstay ahead of the latest threats. \n\n* VUPEN Vulnerability Notification Service:\n\nhttp://www.vupen.com/english/services\n\n* VUPEN Binary Analysis \u0026 Exploits Service :\n\nhttp://www.vupen.com/exploits\n\n\nVIII. REFERENCES\n----------------------\n\nhttp://www.vupen.com/english/advisories/2010/0745\nhttp://support.apple.com/kb/HT4105\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0040\n\n\nIX. DISCLOSURE TIMELINE\n----------------------------------- \n\n2009-12-03 - Vendor notified\n2009-12-07 - Vendor response\n2010-01-26 - Status update received\n2010-03-04 - Status update received\n2010-03-12 - Vulnerability Fixed in Safari v4.0.5\n2010-03-31 - Vulnerability Fixed in iTunes v9.1\n\n\n\n. As of February 2010,\nSafari was the fourth most widely used browser, with 4.45% of the\nworldwide usage share of web browsers according to Net Application.\"\n\n\nII. \n\nVUPEN also provides in-depth binary analysis of vulnerabilities and\ncommercial-grade exploit codes to help security vendors, governments,\nand corporations to evaluate and qualify risks, and protect their\ninfrastructures and assets. iDefense Security Advisory 03.11.10\nhttp://labs.idefense.com/intelligence/vulnerabilities/\nMar 11, 2010\n\nI. BACKGROUND\n\nWebKit is an open source web browser engine. It is currently used by\nApple Inc.\u0027s Safari browser, as well as by Google\u0027s Chrome browser. For\nmore information, see the vendor\u0027s site at the following link. \n\nhttp://webkit.org/\n\nII. \n\nThe vulnerability occurs when a certain property of an HTML element is\nreset via JavaScript code. When this occurs, a C++ object is\nincorrectly accessed after it has been freed. This results in an\nattacker controlled value being used as a C++ VTABLE, which leads to\nthe execution of arbitrary code. \n\nIII. ANALYSIS\n\nExploitation of this vulnerability results in the execution of arbitrary\ncode with the privileges of the user viewing the Webpage. To exploit\nthis vulnerability, a targeted user must load a malicious Webpage\ncreated by an attacker. An attacker typically accomplishes this via\nsocial engineering or injecting content into compromised, trusted\nsites. After the user visits the malicious Webpage, no further user\ninteraction is needed. \n\nExploitation of this vulnerability is relatively simple if a heap spray\ntechnique is used to control large portions of heap memory. It is also\ntrivial for an attacker to reallocate the chunk of freed memory and\npopulate it with controlled values. This allows an attacker to control\na C++ VTABLE, which leads to code execution. As such, iDefense\nconsiders this vulnerability to be highly exploitable. \n\nIV. DETECTION\n\niDefense has confirmed the existence of this vulnerability in Google\nChrome 3.0.195.38 and Safari 4.0.4. Previous versions are suspected to\nbe vulnerable. \n\nV. WORKAROUND\n\nThe vulnerability is present in the JavaScript engine, so disabling\nJavaScript is an effective workaround. This can be performed via the\ncommand line with Google Chrome, and the Preferences menu in Safari. \n\nVI. VENDOR RESPONSE\n\nApple Inc. has released a patch which addresses this issue. Information\nabout downloadable vendor updates can be found by clicking on the URLs\nshown. http://www.apple.com/safari/download\n\nVII. CVE INFORMATION\n\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\nname CVE-2010-0040 to this issue. This is a candidate for inclusion in\nthe CVE list (http://cve.mitre.org/), which standardizes names for\nsecurity problems. \n\nVIII. DISCLOSURE TIMELINE\n\n12/15/2009 Initial Vendor Notification\n12/15/2009 Initial Vendor Reply\n03/11/2010 Coordinated Public Disclosure\n\nIX. CREDIT\n\nThis vulnerability was reported to iDefense by wushi\u0026Z of team509. \n\nGet paid for vulnerability research\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\n\nFree tools, research and upcoming events\nhttp://labs.idefense.com/\n\nX. LEGAL NOTICES\n\nCopyright \\xa9 2010 iDefense, Inc. \n\nPermission is granted for the redistribution of this alert\nelectronically. It may not be edited in any way without the express\nwritten consent of iDefense. If you wish to reprint the whole or any\npart of this alert in any other medium other than electronically,\nplease e-mail customerservice@idefense.com for permission. \n\nDisclaimer: The information in the advisory is believed to be accurate\nat the time of publishing based on currently available information. Use\nof the information constitutes acceptance for use in an AS IS condition. \n There are no warranties with regard to this information. Neither the\nauthor nor the publisher accepts any liability for any direct,\nindirect, or consequential loss or damage arising from use of, or\nreliance on, this information. \n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-0040"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001180"
},
{
"db": "BID",
"id": "38674"
},
{
"db": "BID",
"id": "38671"
},
{
"db": "VULHUB",
"id": "VHN-42645"
},
{
"db": "PACKETSTORM",
"id": "87984"
},
{
"db": "PACKETSTORM",
"id": "87925"
},
{
"db": "PACKETSTORM",
"id": "87200"
},
{
"db": "PACKETSTORM",
"id": "87147"
}
],
"trust": 2.61
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-42645",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42645"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2010-0040",
"trust": 3.1
},
{
"db": "BID",
"id": "38674",
"trust": 2.8
},
{
"db": "BID",
"id": "38671",
"trust": 2.0
},
{
"db": "SECUNIA",
"id": "39135",
"trust": 1.2
},
{
"db": "SECTRACK",
"id": "1023706",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001180",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201003-179",
"trust": 0.7
},
{
"db": "APPLE",
"id": "APPLE-SA-2010-03-11-1",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "14628",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "87200",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "87925",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "87147",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-42645",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "87984",
"trust": 0.1
},
{
"db": "VUPEN",
"id": "ADV-2010-0745",
"trust": 0.1
},
{
"db": "VUPEN",
"id": "ADV-2010-0599",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42645"
},
{
"db": "BID",
"id": "38674"
},
{
"db": "BID",
"id": "38671"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001180"
},
{
"db": "PACKETSTORM",
"id": "87984"
},
{
"db": "PACKETSTORM",
"id": "87925"
},
{
"db": "PACKETSTORM",
"id": "87200"
},
{
"db": "PACKETSTORM",
"id": "87147"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-179"
},
{
"db": "NVD",
"id": "CVE-2010-0040"
}
]
},
"id": "VAR-201003-1092",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-42645"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T21:17:03.202000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "HT4070",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT4070"
},
{
"title": "HT4105",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT4105"
},
{
"title": "HT4070",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT4070?viewlocale=ja_JP"
},
{
"title": "HT4105",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT4105?viewlocale=ja_JP"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001180"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-189",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42645"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001180"
},
{
"db": "NVD",
"id": "CVE-2010-0040"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/38674"
},
{
"trust": 1.8,
"url": "http://support.apple.com/kb/ht4070"
},
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2010/mar/msg00000.html"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/38671"
},
{
"trust": 1.3,
"url": "http://support.apple.com/kb/ht4105"
},
{
"trust": 1.1,
"url": "http://lists.apple.com/archives/security-announce/2010//mar/msg00003.html"
},
{
"trust": 1.1,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a6741"
},
{
"trust": 1.1,
"url": "http://www.securitytracker.com/id?1023706"
},
{
"trust": 1.1,
"url": "http://secunia.com/advisories/39135"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56826"
},
{
"trust": 1.0,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-0040"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-0040"
},
{
"trust": 0.6,
"url": "http://www.apple.com/safari/"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/14628"
},
{
"trust": 0.3,
"url": "/archive/1/510472"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-0040"
},
{
"trust": 0.2,
"url": "http://www.vupen.com/english/research.php"
},
{
"trust": 0.2,
"url": "http://www.vupen.com/exploits"
},
{
"trust": 0.2,
"url": "http://www.vupen.com/english/services"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/38932/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/39135/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://www.apple.com/itunes/download/"
},
{
"trust": 0.1,
"url": "http://www.vupen.com/english/advisories/2010/0745"
},
{
"trust": 0.1,
"url": "http://www.vupen.com/english/advisories/2010/0599"
},
{
"trust": 0.1,
"url": "http://www.apple.com/safari/download/"
},
{
"trust": 0.1,
"url": "http://webkit.org/"
},
{
"trust": 0.1,
"url": "http://www.apple.com/safari/download"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/),"
},
{
"trust": 0.1,
"url": "http://secunia.com/"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/intelligence/vulnerabilities/"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/methodology/vulnerability/vcp.php"
},
{
"trust": 0.1,
"url": "http://labs.idefense.com/"
},
{
"trust": 0.1,
"url": "http://lists.grok.org.uk/full-disclosure-charter.html"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42645"
},
{
"db": "BID",
"id": "38674"
},
{
"db": "BID",
"id": "38671"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001180"
},
{
"db": "PACKETSTORM",
"id": "87984"
},
{
"db": "PACKETSTORM",
"id": "87925"
},
{
"db": "PACKETSTORM",
"id": "87200"
},
{
"db": "PACKETSTORM",
"id": "87147"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-179"
},
{
"db": "NVD",
"id": "CVE-2010-0040"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-42645"
},
{
"db": "BID",
"id": "38674"
},
{
"db": "BID",
"id": "38671"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001180"
},
{
"db": "PACKETSTORM",
"id": "87984"
},
{
"db": "PACKETSTORM",
"id": "87925"
},
{
"db": "PACKETSTORM",
"id": "87200"
},
{
"db": "PACKETSTORM",
"id": "87147"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-179"
},
{
"db": "NVD",
"id": "CVE-2010-0040"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-03-15T00:00:00",
"db": "VULHUB",
"id": "VHN-42645"
},
{
"date": "2010-03-11T00:00:00",
"db": "BID",
"id": "38674"
},
{
"date": "2010-03-11T00:00:00",
"db": "BID",
"id": "38671"
},
{
"date": "2010-03-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-001180"
},
{
"date": "2010-04-02T16:05:17",
"db": "PACKETSTORM",
"id": "87984"
},
{
"date": "2010-04-01T20:04:15",
"db": "PACKETSTORM",
"id": "87925"
},
{
"date": "2010-03-12T23:05:36",
"db": "PACKETSTORM",
"id": "87200"
},
{
"date": "2010-03-12T01:21:21",
"db": "PACKETSTORM",
"id": "87147"
},
{
"date": "2010-03-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201003-179"
},
{
"date": "2010-03-15T13:28:25.277000",
"db": "NVD",
"id": "CVE-2010-0040"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-09-19T00:00:00",
"db": "VULHUB",
"id": "VHN-42645"
},
{
"date": "2010-04-03T21:32:00",
"db": "BID",
"id": "38674"
},
{
"date": "2010-03-12T15:32:00",
"db": "BID",
"id": "38671"
},
{
"date": "2010-04-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-001180"
},
{
"date": "2011-07-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201003-179"
},
{
"date": "2024-11-21T01:11:23.650000",
"db": "NVD",
"id": "CVE-2010-0040"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "87147"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-179"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple Safari of ColorSync Integer overflow vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001180"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "digital error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201003-179"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.