CESA-2008-004 - rev 2
[See all my vulnerabilities at
http://scary.beasts.org/security]
[Blog if you want to subscribe to new findings is at
http://scarybeastsecurity.blogspot.com/]
Safari libxslt attack vector
Programs affected: Safari.
Severity: Possible remote code execution in browser.
Apple advisory: APPLE-SA-2008-07-11
Safari (and WebKit) use libxslt for XSLT support in the browser. Until this
Apple update, the libxslt version used had known crashes and vulnerabilities,
for example:
http://bugzilla.gnome.org/show_bug.cgi?id=527297
http://xforce.iss.net/xforce/xfdb/42560
XSLT in browsers would seem to be an under-researched attack vector. XSLT is
a turing-complete language; always an interesting part of the attack surface.
Demo URL to flatten Safari:
http://scary.beasts.org/misc/msxml.xml
Credits
- Anthony de Almeida Lopes, who found the example libxslt bug linked, and
also noted in the report that it could be a security issue. I did not find
any particular bug in libxslt - I'm just noting the applicablility to Safari.
And encouraged Apple to secure this for their users in the latest update.
- Tim Newsham independently noted libxslt as a possible attack vector.
CESA-2008-004 - rev 2
Chris Evans
scarybeasts@gmail.com