Apple Safari 4.0.5 for Windows (and probably earlier) allows remote attackers to execute arbitrary code by enticing the user to open a crafted HTML document. The crafted HTML page can create a pop-up window using the window.open() method, and then call the parent window's window.close() method, thereby triggering the vulnerability due to an invalid pointer.
Resolution
Enable the browser pop-up blocker (this is normally enabled by default in Safari). Consider disabling JavaScript in Safari. Upgrade when a fixed release becomes available.
The exploit web page must be the first page loaded into the Apple Safari browser instance on the target.
Pop-Up windows must be enabled on the target Apple Safari browser, i.e., disable the pop-up blocker.
The vulnerability is triggered when the user closes the pop-up window with [Alt + F4]. It may take a longer time than normal to establish the shell session.
Platforms
Windows
{"enchantments": {"vulnersScore": 9.3}, "reporter": "SAINT Corporation", "id": "SAINT:72C046E8C4B49955C9B463BA037E1F63", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "published": "2010-05-28T00:00:00", "history": [], "bulletinFamily": "exploit", "viewCount": 0, "objectVersion": "1.2", "modified": "2010-05-28T00:00:00", "hash": "b4d4dd3db6680400abd7851f722884c5819150091f2cb4a946d2dda4f599fee2", "references": [], "cvelist": ["CVE-2010-1939"], "description": "Added: 05/28/2010 \nCVE: [CVE-2010-1939](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1939>) \nBID: [39990](<http://www.securityfocus.com/bid/39990>) \nOSVDB: [64482](<http://www.osvdb.org/64482>) \n\n\n### Background\n\n[Safari](<http://www.apple.com/safari/>) is a web browser for Mac OS X and Windows. \n\n### Problem\n\nApple Safari 4.0.5 for Windows (and probably earlier) allows remote attackers to execute arbitrary code by enticing the user to open a crafted HTML document. The crafted HTML page can create a pop-up window using the window.open() method, and then call the parent window's window.close() method, thereby triggering the vulnerability due to an invalid pointer. \n\n### Resolution\n\nEnable the browser pop-up blocker (this is normally enabled by default in Safari). Consider disabling JavaScript in Safari. Upgrade when a fixed release becomes available. \n\n### References\n\n<http://secunia.com/advisories/39670> \n<http://www.kb.cert.org/vuls/id/943165> \n\n\n### Limitations\n\nExploit works on Apple Safari 4.0.5 for Windows. \n\nThe exploit web page must be the first page loaded into the Apple Safari browser instance on the target. \n\nPop-Up windows must be enabled on the target Apple Safari browser, i.e., disable the pop-up blocker. \n\nThe vulnerability is triggered when the user closes the pop-up window with [Alt + F4]. It may take a longer time than normal to establish the shell session. \n\n### Platforms\n\nWindows \n \n\n", "type": "saint", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/safari_parent_close_invalid_pointer", "lastseen": "2016-10-03T15:01:55", "edition": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "5022329f99c7416ff8698aaca8f6707c", "key": "cvelist"}, {"hash": "a421d56f3544d1a7f5097c7065c4867f", "key": "cvss"}, {"hash": "594c69348220463145277527d3bcd0d5", "key": "description"}, {"hash": "72c046e8c4b49955c9b463ba037e1f63", "key": "href"}, {"hash": "86510ed53691b7908974119505cd05ba", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "86510ed53691b7908974119505cd05ba", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "05eb9658955060eaf0d5f69692f1cd0d", "key": "title"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}], "title": "Apple Safari parent.close() Invalid Pointer Code Execution"}
{"result": {"cve": [{"id": "CVE-2010-1939", "type": "cve", "title": "CVE-2010-1939", "description": "Use-after-free vulnerability in Apple Safari 4.0.5 on Windows allows remote attackers to execute arbitrary code by using window.open to create a popup window for a crafted HTML document, and then calling the parent window's close method, which triggers improper handling of a deleted window object.", "published": "2010-05-13T18:30:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1939", "cvelist": ["CVE-2010-1939"], "lastseen": "2017-09-19T13:36:58"}], "exploitdb": [{"id": "EDB-ID:12614", "type": "exploitdb", "title": "Safari 4.0.5 - parent.close Memory Corruption Exploit ASLR and DEP bypass", "description": "Safari 4.0.5 parent.close() Memory Corruption exploit (w/ASLR and DEP bypass). CVE-2010-1939. Remote exploit for windows platform", "published": "2010-05-15T00:00:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/12614/", "cvelist": ["CVE-2010-1939"], "lastseen": "2016-02-01T16:55:53"}, {"id": "EDB-ID:12573", "type": "exploitdb", "title": "Apple Safari 4.0.5 - parent.close memory corruption Code Execution Exploit 0day", "description": "Apple Safari 4.0.5 parent.close() (memory corruption) 0day Code Execution Exploit. CVE-2010-1939. Remote exploit for windows platform", "published": "2010-05-11T00:00:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/12573/", "cvelist": ["CVE-2010-1939"], "lastseen": "2016-02-01T16:49:34"}], "saint": [{"id": "SAINT:CA6905BBAD25DF95445E777989303FCF", "type": "saint", "title": "Apple Safari parent.close() Invalid Pointer Code Execution", "description": "Added: 05/28/2010 \nCVE: [CVE-2010-1939](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1939>) \nBID: [39990](<http://www.securityfocus.com/bid/39990>) \nOSVDB: [64482](<http://www.osvdb.org/64482>) \n\n\n### Background\n\n[Safari](<http://www.apple.com/safari/>) is a web browser for Mac OS X and Windows. \n\n### Problem\n\nApple Safari 4.0.5 for Windows (and probably earlier) allows remote attackers to execute arbitrary code by enticing the user to open a crafted HTML document. The crafted HTML page can create a pop-up window using the window.open() method, and then call the parent window's window.close() method, thereby triggering the vulnerability due to an invalid pointer. \n\n### Resolution\n\nEnable the browser pop-up blocker (this is normally enabled by default in Safari). Consider disabling JavaScript in Safari. Upgrade when a fixed release becomes available. \n\n### References\n\n<http://secunia.com/advisories/39670> \n<http://www.kb.cert.org/vuls/id/943165> \n\n\n### Limitations\n\nExploit works on Apple Safari 4.0.5 for Windows. \n\nThe exploit web page must be the first page loaded into the Apple Safari browser instance on the target. \n\nPop-Up windows must be enabled on the target Apple Safari browser, i.e., disable the pop-up blocker. \n\nThe vulnerability is triggered when the user closes the pop-up window with [Alt + F4]. It may take a longer time than normal to establish the shell session. \n\n### Platforms\n\nWindows \n \n\n", "published": "2010-05-28T00:00:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/safari_parent_close_invalid_pointer", "cvelist": ["CVE-2010-1939"], "lastseen": "2017-01-10T14:03:43"}, {"id": "SAINT:8BE66E225290861FCE73B9867488A02A", "type": "saint", "title": "Apple Safari parent.close() Invalid Pointer Code Execution", "description": "Added: 05/28/2010 \nCVE: [CVE-2010-1939](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1939>) \nBID: [39990](<http://www.securityfocus.com/bid/39990>) \nOSVDB: [64482](<http://www.osvdb.org/64482>) \n\n\n### Background\n\n[Safari](<http://www.apple.com/safari/>) is a web browser for Mac OS X and Windows. \n\n### Problem\n\nApple Safari 4.0.5 for Windows (and probably earlier) allows remote attackers to execute arbitrary code by enticing the user to open a crafted HTML document. The crafted HTML page can create a pop-up window using the window.open() method, and then call the parent window's window.close() method, thereby triggering the vulnerability due to an invalid pointer. \n\n### Resolution\n\nEnable the browser pop-up blocker (this is normally enabled by default in Safari). Consider disabling JavaScript in Safari. Upgrade when a fixed release becomes available. \n\n### References\n\n<http://secunia.com/advisories/39670> \n<http://www.kb.cert.org/vuls/id/943165> \n\n\n### Limitations\n\nExploit works on Apple Safari 4.0.5 for Windows. \n\nThe exploit web page must be the first page loaded into the Apple Safari browser instance on the target. \n\nPop-Up windows must be enabled on the target Apple Safari browser, i.e., disable the pop-up blocker. \n\nThe vulnerability is triggered when the user closes the pop-up window with [Alt + F4]. It may take a longer time than normal to establish the shell session. \n\n### Platforms\n\nWindows \n \n\n", "published": "2010-05-28T00:00:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/safari_parent_close_invalid_pointer", "cvelist": ["CVE-2010-1939"], "lastseen": "2016-12-14T16:58:06"}], "openvas": [{"id": "OPENVAS:1361412562310902025", "type": "openvas", "title": "Apple Saferi multiple vulnerabilities (Mar10)", "description": "The host is running Apple Saferi and is prone to multiple\n vulnerabilities.", "published": "2010-03-23T00:00:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902025", "cvelist": ["CVE-2010-1029", "CVE-2010-1939"], "lastseen": "2018-01-22T13:06:01"}, {"id": "OPENVAS:902025", "type": "openvas", "title": "Apple Saferi multiple vulnerabilities (Mar10)", "description": "The host is running Apple Saferi and is prone to multiple\n vulnerabilities.", "published": "2010-03-23T00:00:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=902025", "cvelist": ["CVE-2010-1029", "CVE-2010-1939"], "lastseen": "2017-07-02T21:09:59"}], "cert": [{"id": "VU:943165", "type": "cert", "title": "Apple Safari window object invalid pointer vulnerability", "description": "### Overview\n\nApple Safari contains a vulnerability in the handling of window objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\nApple Safari fails to properly handle references to window objects. Safari can allow a window object to be deleted, while references to the object may still exist. If JavaScript code then attempts to use the deleted window object, this can result in the use of an invalid pointer. This pointer can be controlled by an attacker through the use of JavaScript. \n\nExploit code for this vulnerability is publicly available. We have confirmed Apple Safari 4.0.5 on the Windows platform to be vulnerable. Other versions may also be affected. \n \n--- \n \n### Impact\n\nBy convincing a victim to view an HTML document (webpage, HTML email, or email attachment) with Apple Safari, an attacker could run arbitrary code with the privileges of the user running the application. \n \n--- \n \n### Solution\n\n**Apply an update** \nThis issue is addressed in Safari 5.0 and 4.1. Please see Apple document [HT4196](<http://support.apple.com/kb/HT4196>) for more details. \n \n--- \n \n**Disable JavaScript**\n\n \nThis issue can be mitigated by disabling JavaScript in Apple Safari. Please see the [Securing Your Web Browser](<http://www.cert.org/tech_tips/securing_browser/#ssecurity>) document for more details. \n \n**Do not follow unsolicited links** \n \nIn order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nApple Inc.| | -| 27 Jul 2010 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23943165 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.cert.org/tech_tips/securing_browser/#ssecurity>\n * <http://secunia.com/advisories/39670/>\n\n### Credit\n\nThis vulnerability was publicly disclosed by Krystian Kloskowski.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n * CVE IDs: [CVE-2010-1939](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1939>) [CVE-2010-1750](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1750>)\n * Date Public: 07 May 2010\n * Date First Published: 10 May 2010\n * Date Last Updated: 27 Jul 2010\n * Severity Metric: 20.41\n * Document Revision: 16\n\n", "published": "2010-05-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/943165", "cvelist": ["CVE-2010-1939", "CVE-2010-1939", "CVE-2010-1750", "CVE-2010-1750"], "lastseen": "2016-02-03T09:13:28"}]}}
