CVE-2011-1417
Apple Safari OfficeArtBlip Parsing Remote Code Execution Vulnerability
Severity Score
6.8
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Integer overflow in QuickLook, as used in Apple Mac OS X before 10.6.7 and MobileSafari in Apple iOS before 4.2.7 and 4.3.x before 4.3.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a Microsoft Office document with a crafted size field in the OfficeArtMetafileHeader, related to OfficeArtBlip, as demonstrated on the iPhone by Charlie Miller and Dion Blazakis during a Pwn2Own competition at CanSecWest 2011.
Un desbordamiento de enteros en QuickLook, tal y como es usado en Mac OS X anterior a versión 10.6.7 y MobileSafari en iOS anterior a versión 4.2.7 y versiones 4.3.x anteriores a 4.3.2, de Apple, permite a los atacantes remotos ejecutar código arbitrario o causar una denegación de servicio (corrupción de memoria y bloqueo de aplicación) por medio de un documento de Microsoft Office con un campo de tamaño diseñado en OfficeArtMetafileHeader, relacionado a OfficeArtBlip, como es demostrado en el iPhone por Charlie Miller y Dion Blazakis durante una competencia de Pwn2Own en CanSecWest 2011.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari on the iPhone. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the support for parsing Office files. When handling the OfficeArtMetafileHeader the process trusts the cbSize field and performs arithmetic on it before making an allocation. As the result is not checked for overflow, the subsequent allocation can be undersized. Later when copying into this buffer, memory can be corrupted leading to arbitrary code execution under the context of the mobile user on the iPhone.
*Credits:
Charlie Miller and Dion Blazakis
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2011-03-11 CVE Reserved
- 2011-03-11 CVE Published
- 2024-08-06 CVE Updated
- 2024-09-19 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-189: Numeric Errors
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011 | X_refsource_misc | |
| http://support.apple.com/kb/HT4607 | X_refsource_confirm |
|
| http://www.zdnet.com/blog/security/charlie-miller-wins-pwn2own-again-with-iphone-4-exploit/8378 | X_refsource_misc | |
| http://www.zerodayinitiative.com/advisories/ZDI-11-109 | X_refsource_misc |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html | 2012-03-30 | |
| http://support.apple.com/kb/HT4581 | 2012-03-30 |
| URL | Date | SRC |
|---|---|---|
| http://lists.apple.com/archives/Security-announce/2011//Oct/msg00005.html | 2012-03-30 | |
| http://lists.apple.com/archives/security-announce/2011//Apr/msg00000.html | 2012-03-30 | |
| http://lists.apple.com/archives/security-announce/2011//Apr/msg00001.html | 2012-03-30 | |
| http://secunia.com/advisories/44154 | 2012-03-30 | |
| http://support.apple.com/kb/HT5003 | 2012-03-30 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | <= 10.6.6 Search vendor "Apple" for product "Mac Os X" and version " <= 10.6.6" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | 10.6.0 Search vendor "Apple" for product "Mac Os X" and version "10.6.0" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | 10.6.1 Search vendor "Apple" for product "Mac Os X" and version "10.6.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | 10.6.2 Search vendor "Apple" for product "Mac Os X" and version "10.6.2" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | 10.6.3 Search vendor "Apple" for product "Mac Os X" and version "10.6.3" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | 10.6.4 Search vendor "Apple" for product "Mac Os X" and version "10.6.4" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | 10.6.5 Search vendor "Apple" for product "Mac Os X" and version "10.6.5" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Server Search vendor "Apple" for product "Mac Os X Server" | <= 10.6.6 Search vendor "Apple" for product "Mac Os X Server" and version " <= 10.6.6" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Server Search vendor "Apple" for product "Mac Os X Server" | 10.6.0 Search vendor "Apple" for product "Mac Os X Server" and version "10.6.0" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Server Search vendor "Apple" for product "Mac Os X Server" | 10.6.1 Search vendor "Apple" for product "Mac Os X Server" and version "10.6.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Server Search vendor "Apple" for product "Mac Os X Server" | 10.6.2 Search vendor "Apple" for product "Mac Os X Server" and version "10.6.2" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Server Search vendor "Apple" for product "Mac Os X Server" | 10.6.3 Search vendor "Apple" for product "Mac Os X Server" and version "10.6.3" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Server Search vendor "Apple" for product "Mac Os X Server" | 10.6.4 Search vendor "Apple" for product "Mac Os X Server" and version "10.6.4" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Server Search vendor "Apple" for product "Mac Os X Server" | 10.6.5 Search vendor "Apple" for product "Mac Os X Server" and version "10.6.5" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | <= 4.2.5 Search vendor "Apple" for product "Iphone Os" and version " <= 4.2.5" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 1.0.0 Search vendor "Apple" for product "Iphone Os" and version "1.0.0" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 1.0.1 Search vendor "Apple" for product "Iphone Os" and version "1.0.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 1.0.2 Search vendor "Apple" for product "Iphone Os" and version "1.0.2" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 1.1.0 Search vendor "Apple" for product "Iphone Os" and version "1.1.0" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 1.1.1 Search vendor "Apple" for product "Iphone Os" and version "1.1.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 1.1.2 Search vendor "Apple" for product "Iphone Os" and version "1.1.2" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 1.1.3 Search vendor "Apple" for product "Iphone Os" and version "1.1.3" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 1.1.4 Search vendor "Apple" for product "Iphone Os" and version "1.1.4" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 1.1.5 Search vendor "Apple" for product "Iphone Os" and version "1.1.5" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 2.0 Search vendor "Apple" for product "Iphone Os" and version "2.0" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 2.1 Search vendor "Apple" for product "Iphone Os" and version "2.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 2.1.1 Search vendor "Apple" for product "Iphone Os" and version "2.1.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 2.2 Search vendor "Apple" for product "Iphone Os" and version "2.2" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 2.2.1 Search vendor "Apple" for product "Iphone Os" and version "2.2.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 3.0 Search vendor "Apple" for product "Iphone Os" and version "3.0" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 3.0.1 Search vendor "Apple" for product "Iphone Os" and version "3.0.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 3.1 Search vendor "Apple" for product "Iphone Os" and version "3.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 3.1.2 Search vendor "Apple" for product "Iphone Os" and version "3.1.2" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 3.2 Search vendor "Apple" for product "Iphone Os" and version "3.2" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 3.2.1 Search vendor "Apple" for product "Iphone Os" and version "3.2.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 3.2.2 Search vendor "Apple" for product "Iphone Os" and version "3.2.2" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 4.0 Search vendor "Apple" for product "Iphone Os" and version "4.0" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 4.0.1 Search vendor "Apple" for product "Iphone Os" and version "4.0.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 4.0.2 Search vendor "Apple" for product "Iphone Os" and version "4.0.2" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 4.1 Search vendor "Apple" for product "Iphone Os" and version "4.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 4.2 Search vendor "Apple" for product "Iphone Os" and version "4.2" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 4.2.1 Search vendor "Apple" for product "Iphone Os" and version "4.2.1" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 4.3.0 Search vendor "Apple" for product "Iphone Os" and version "4.3.0" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | 4.3.1 Search vendor "Apple" for product "Iphone Os" and version "4.3.1" | - |
Affected
| ||||||