Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Apple’s Safari web browser is open to a remote code execution vulnerability via its SVG marker element feature inside the Safari WebKit. Safari uses the WebCore DOM rendering system in WebKit. Rendering engine allows overwriting of the static SVG marker element using JavaScript code which

results in memory corruption. An attacker needs to trick the user into opening this web browser in Safari in order to exploit this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details Apple Safari SVG marker element baseVale remote code execution vulnerability (TALOS-2019-0943/CVE-2019-8846)

A freed memory access vulnerability exists in the SVG Marker Element feature of Apple Safari's WebKit, version 13.0.2. A specially crafted HTML web page can cause a use after free, resulting in memory corruption and possibly arbitrary code execution. To trigger this vulnerability, a specifically crafted HTML web page needs to be opened in the browser.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos tested and confirmed that version 13.01.2 (15608.2.30.1.1) of Safari utilizing WebKit GIT 497221ef6a94f0603c1e8c4207094fc50e8ccf2a is affected by this vulnerability.

Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52048, 52049