Apple Safari parent.close() Invalid Pointer Code Execution

ID SAINT:72C046E8C4B49955C9B463BA037E1F63
Type saint
Reporter SAINT Corporation
Modified 2010-05-28T00:00:00


Added: 05/28/2010
CVE: CVE-2010-1939
BID: 39990
OSVDB: 64482


Safari is a web browser for Mac OS X and Windows.


Apple Safari 4.0.5 for Windows (and probably earlier) allows remote attackers to execute arbitrary code by enticing the user to open a crafted HTML document. The crafted HTML page can create a pop-up window using the method, and then call the parent window's window.close() method, thereby triggering the vulnerability due to an invalid pointer.


Enable the browser pop-up blocker (this is normally enabled by default in Safari). Consider disabling JavaScript in Safari. Upgrade when a fixed release becomes available.




Exploit works on Apple Safari 4.0.5 for Windows.

The exploit web page must be the first page loaded into the Apple Safari browser instance on the target.

Pop-Up windows must be enabled on the target Apple Safari browser, i.e., disable the pop-up blocker.

The vulnerability is triggered when the user closes the pop-up window with [Alt + F4]. It may take a longer time than normal to establish the shell session.