Hole in Safari rounds off "Month of Browser Bugs"
H.D. Moore has completed his Month of Browser Bugs (MoBB) with a security hole in Apple's Safari. In contrast to most of the other holes described in the MoBB, this one is based on a null pointer dereference, and apparently allows code to be injected and executed. It seems that Moore does not have the time to write a carefully programmed exploit to demonstrate this, and he therefore only provides a demo that causes Safari to crash on a fully patched Mac with OS X 10.4.x (PPC).
French security research organization FrSIRT ranks the hole as critical, but last week the same authors changed their assessment of a hole in Opera from "critical" to "low risk". Although Safari is based on the Open Source browser Konqueror, the latter is apparently not vulnerable to this problem, which is caused by an error in the processing of a script element in the function KHTMLParser::popOneBlock().
Although the MoBB project has now been terminated after the publication of the 31 holes that were promised, Moore plans to continue writing the blog he launched for this project as a vehicle for reporting on holes in browsers in the future. Other members of the security community are providing assistance. To keep the ball rolling, Moore, who also developed Metasploit, has provided a download of his ActiveX fuzzing tool called AxMan. "Fuzzing engines" are special tools that feed an application with bad data until an error occurs. A debugger takes a look at these crashes to try to determine the cause and see whether the process can be used for attacks.
Moore says that AxMan found and analyzed all of the holes in ActiveX controls in Internet Explorer. In addition, he says that he found more than hundred of additional weak points in the products of other vendors. Moore, who generally releases information about holes immediately without contacting companies, is taking a somewhat unusual step for him: he will not be publishing any details about these holes in order to give the vendors some time to react. An online demo is also available for AxMan.
- MoBB #31: Safari KHTMLParser::popOneBlock, H.D. Moore's blog entry