cbcvebase.
CVE-2010-1939
published 2010-05-13

CVE-2010-1939: Use-after-free vulnerability in Apple Safari 4.0.5 on Windows allows remote attackers to execute arbitrary code by using window.open to create a popup window…

PriorityP349high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
14.71%
96.2th percentile
Use-after-free vulnerability in Apple Safari 4.0.5 on Windows allows remote attackers to execute arbitrary code by using window.open to create a popup window for a crafted HTML document, and then calling the parent window's close method, which triggers improper handling of a deleted window object.

Affected

1 ranges
VendorProductVersion rangeFixed in
applesafari

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/12614.zip
filenamesafari_parent_close_sintsov.zip
filenameSTART.htm
filename0day.html
filename0day.htm
bytes
0x09090101
  • Exploit chain involves a specific multi-file HTML sequence: START.htm loads iff.htm, which loads if1.htm, which loads 0day.html. Detection of this file chain on disk or in web traffic is a strong indicator of exploitation.
  • Exploit triggers via window.open() to create a popup followed by parent.close() call. Monitor JavaScript in web content for this pattern targeting Safari on Windows.
  • JIT-spray technique is used to bypass ASLR and DEP; the JIT-sprayed shellcode is called via ESI register at address 0x09090101. Memory forensics or crash dumps showing CALL ESI at this address indicate exploitation.
  • Remote exploitation requires popups to be enabled in Safari (Ctrl+Shift+K). Alerting on Safari popup permission changes or popup-enabled browsing sessions may help scope exposure.
  • Talos/VRT released Snort rules on June 14, 2010 specifically covering CVE-2010-1939 Apple Safari RCE. Ensure those rule sets are applied.
  • ·Exploitation is limited to Apple Safari 4.0.5 on Windows. Other platforms or Safari versions are not confirmed affected.
  • ·Remote exploitation requires the victim's browser to have popups enabled; without popup permission the attack vector is reduced to local.
  • ·The exploit was tested specifically on XP SP2 Polish; behavior on other Windows versions or service packs may differ.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.