Apple WebKit dir Attribute Freeing Dangling Object Pointer Vulnerability

ID ZDI-09-033
Type zdi
Reporter wushi&ling of team509
Modified 2009-11-09T00:00:00


This vulnerability allows attackers to execute arbitrary code on vulnerable software utilizing the Apple WebKit library. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.

The specific flaw exists when the document.body element contains a specific XML container containing various elements supporting the 'dir' attribute. During the destruction of this element, if the rendering object responsible for the element is being removed, the application will then make a call to a method for an object that doesn't exist which can lead to code execution under the context of the current user.