Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Search | Test
Home » Industry Watch

Total Crash

It takes everything with it.


Safari 2.0.3 on 10.4.6 cannot only fall ingloriously, it can also bring down the entire operating system, a feat of considerable prowess considering OS X is supposed to be using protected memory.

The fun never ends. At least not when running iPod peripherals these days. Yannick von Arx posted a POC at Full Disclosure that when seen in the latest Safari running on the latest Tiger causes a system wide freeze that resolves only by force rebooting or, if you're patient, waiting several minutes while Safari spikes the CPU and eventually crashes and burns on its own.

It's a tasty concoction.

Yannick tested this with Safari 417.9.2 on both 10.4.5 (8H14) and 10.4.6 (8I127) with identical results.

Overview:
A vulnerabilitiy exists in Safari 2.0.3 (417.9.2) and perhaps in prior versions which causes the operating system to slow down SRCOD (Spinning Rainbow Cursor Of Death), and therefore, it's not possible to launch any applications like Terminal to kill the process. After several minutes Safari crashes.

Safari screws up on the table row span spec.

Technical Details:
Create a new File with following code...

<HTML>
<TABLE>
<TR><TD ROWSPAN=2000000000>

That's all you need. Alternately you can click here.

Browsers based on the Gecko engine (Camino, Firefox) are not affected.

Sounds Familiar

If all this sounds familiar, it could be because this was reported to Apple over four months ago by Tom Ferris.

Mac OS X <= 10.4.5 KHTMLParser DoS

Release Date:
December 21, 2005

Severity:
Medium

Vendor:
Apple

Versions Affected:
Mac OS X 10.4.5 (PPC & x86) and prior
Safari 2.0.3 (417.8) and prior
TextEdit 1.4 (220) and prior
Shiira 1.2 and prior

Overview:
A denial of service vulnerability exists within the KHTMLParser on Apple OS X 10.4.5 and all prior versions which allows for an attacker to cause the application which uses this class to crash the application.

Technical Details:
When running a specially crafted .html file, the khtml::RenderTableSection::ensureRows inproperly parsers the data and causes the crash. The KTHML parser attempts to resize an internal array to the number of elements indicated by the rowspan value. If the value is very large, it is not possible to resize the array and the application quits. On a default install of Apple OS X, Safari and TextEdit are vulnerable.

At Apple, we take security very seriously.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.