WebKit chaos

Software using the popular browser engine WebKit to render web pages was temporarily vulnerable to a universal cross-site scripting attack (UXSS), Google’s Project Zero announced yesterday.

This was due to an issue with the way WebKit deletes cross-domain objects when a page is unloaded. The issue, which would have allowed an attacker to execute JavaScript from one domain to another, has since been patched.

An XML stylesheet and use of XSLT was allowing for a cross-site object to remain despite the deletion of the document which references it, Google said.

By using nested iframes and a form submission an attacker could execute JavaScript onto that cross-domain object by navigating to a JavaScript URL in order to trigger the UXSS.

“The problem is that by the time setDocument is called, newDocument might already have a reference to a Frame object, and if the method returns early, that reference will never get cleared by subsequent navigations,” Project Zero’s Sergei Glazunov wrote in a bug report.

“It's not possible to trigger document replacement inside setDocument via a regular navigation request or a JavaScript: URI load; however, an attacker can use an XSLT transformation for that.”

WebKit is used in multiple operating systems, and is the default browser engine for Apple iOS. It helps run applications such as the Safari browser, Mail, and the Apple’s App Store.

The critical vulnerability was reported to Apple on June 4 – Google has a hardline 90-day patch deadline for vendors.