Webkit fontface Invalid Font Family Remote Code Execution Vulnerability

2012-03-26T00:00:00
ID ZDI-12-054
Type zdi
Reporter wushi of team509 miaubiz
Modified 2012-11-09T00:00:00

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Webkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing and utilization of font objects. When the code parses the @font-face CSS element it does not validate that the font-family is legitimate. Later, if the same font-family is applied within CSS the code will access an invalid element of its internal font object. This can be leveraged by a remote attacker to execute code under the context of the user running the browser.