About | ACP | Get Stuff | Industry Watch | Learn | NSFW | Search | Test Drive
Home » Industry Watch » The Technological

Safari Exploit Runs Windows Calculator

The sky has not fallen.

Get It

Try It

(SOMEWHERE IN POLAND) Rixstep — An exploit against Safari 4.0.5 on Windows has been published. This exploit hacks at JavaScript code to start the Windows calculator.

A number of sites have already published news of the proof of concept, claiming it's not known if this affects Safari on other platforms. But as things stand, it doesn't - the exploit was specifically crafted for Windows XP SP2 and only tested there.

The exploit does not seem to make any attempt at privilege escalation.

The proof of concept code has been published - it's contained in two HTML files. The first file simply opens the second as a popup and then closes it.

The comments to the second file reveal the following.

Apple Safari 4.0.5 parent.close() (memory corruption) 0day Code Execution Exploit
Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
Tested on: Apple Safari 4.0.5 / XP SP2 Polish
Shellcode: Windows Execute Command (calc)
Local: Yes
Remote: Yes (POPUP must be enabled [Ctrl+Shift+K])
Just for fun ;)

Note the code is Windows-specific.

Apple haven't commented but it remains to be seen whether this code can be rewritten to hack at OS X. As OS X does not support Windows Calculator, things are calm for the moment.

El Reg quote good old Secunia as saying the vulnerability is 'highly cfical' [sic]. One interpretation is the mysterious phrase actually stands for 'highly superficial'.

But if this bottoms out in an error in WebKit then one may expect a fix in no time.

[Note: Secunia seem reluctant to openly disclose what platforms are affected. See the link below.]

Further Reading
The Register: Code-execution bug found in Apple Safari
US-CERT: Apple Safari window object invalid pointer vulnerability
Secunia: Apple Safari 'parent.close()' Code Execution Vulnerability

About | ACP | Get Stuff | Industry Watch | Learning Curve | Newsletter | Search | Test Drive
Copyright © Rixstep. All rights reserved.