I. BACKGROUND WebKit is an open source web browser engine. It is currently used by Apple Inc.'s Safari browser, as well as by Google's Chrome browser. For more information, see the vendor's site at the following link. http://webkit.org/ II. DESCRIPTION Remote exploitation of a memory corruption vulnerability in WebKit, as included with multiple vendors' browsers, could allow an attacker to execute arbitrary code with the privileges of the current user. Scalable Vector Graphics (SVG) is an XML based file format used to describe two dimensional vector graphics. It defines both a markup language, and a JavaScript interface. When processing DOM queries to SVG tags, Safari fails to handle exceptional conditions. It is possible to trigger a use after free vulnerability by query some properties of SVG tags. This leaves a C++ object pointer in an inconsistent state, which can lead to the execution of arbitrary code. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user viewing the web page. To exploit this vulnerability, a targeted user must load a malicious webpage created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. After the user visits the malicious web page, no further user interaction is needed. IV. DETECTION Safari versions prior to 5.1 and 5.0.6 are vulnerable. V. WORKAROUND Disabling JavaScript is an effective workaround for this vulnerability. VI. VENDOR RESPONSE Apple Inc. has released patches which addresses this issue. For more information, consult their advisory at the following URL: http://support.apple.com/kb/HT4808 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2011-0222 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 05/28/2011 Initial Vendor Notification 06/02/2011 Initial Vendor Reply 07/25/2011 Coordinated Public Disclosure IX. CREDIT This vulnerability was demonstrated by Nikita Tarakanov (CISS Research Team) and Alex Bazhanyuk(CISS Research Team) during Positive Hack Days Conference via hack2own contest.