Multiple Vulnerabilities in WebKit Could Allow for Remote Code Execution

ITS Advisory Number: 
2014-105
Date(s) Issued: 
Thursday, December 4, 2014
Subject: 
Multiple Vulnerabilities in WebKit Could Allow for Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in the WebKit browser engine, which is used primarily to power the Apple Safari browser and older versions of Google Chrome. Successful exploitation of these vulnerabilities could result in remote code execution allowing for an attacker to gain control of a host and have the same privileges as the user running the affected application. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 

Apple Safari prior to 6.2.1
Google Chrome prior to version 27

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Multiple memory corruption vulnerabilities exist in WebKit that could allow remote code execution. These issues were addressed through improved memory handling.

WebKit is an open source browser engine that is used by multiple applications to power the Apple Safari web browser. In addition to Safari, versions of the Google Chrome prior to version 27 also use WebKit.

The vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Successful exploitation of these vulnerabilities could result in remote code execution allowing for an attacker to gain control of a host and have the same privileges as the user running the affected application. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Currently no working exploits have been reported, and Apple has released updates to resolve the issues for their Safari browser.

Actions: 

We recommend the following actions be taken:
Update vulnerable products immediately after appropriate testing.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
Do not open email attachments or click on URLs from unknown or un-trusted sources.