Marcin "Icewall" Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Apple Safari web browser contains a remote code execution vulnerability in its Webkit feature. Specifically, an attacker could trigger a use-after-free condition in WebCore, the DOM-rendering system for Webkit used in Safari. This could give the attacker the ability to execute remote code on the victim machine. A user needs to open a specially crafted, malicious web page in Safari to trigger this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Apple Safari/Webkit aboutBlankURL() code execution vulnerability (TALOS-2020-1124/CVE-2020-9951)

An exploitable use-after-free vulnerability exists in MacOSX Safari Version 13.0.2 (15609., 610+) Webkit GIT 44383bcbaf11c4c2aa55e1b8899ab84b1ddfccca and Ubuntu Webkit GTK GIT 44383bcbaf11c4c2aa55e1b8899ab84b1ddfccca. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that this vulnerability affects Apple Safari/Webkit, version 13.0.2 (15609., 610+) Webkit GIT 44383bcbaf11c4c2aa55e1b8899ab84b1ddfccca [–release] and Apple Safari/Webkit GTK GIT 44383bcbaf11c4c2aa55e1b8899ab84b1ddfccca [–release].


The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or

Snort Rules: 54586, 54587