Sad Day for Safari On Windows
In the last day there has been a number of vulnerabilities disclosed by researchers against the newly released Safari for Windows. The first was Dave Maynor’s full disclosure then came Aviv Raff’s disclosure and finally today Thor Larholm disclosed his vulnerability. Thor’s is probably furthest along in being an actual working exploit. Not a good day for Safari.
Probably the most interesting part of this is Dave Maynor’s reasons for going Full Disclosure. He doesn’t talk about it much on his blog, other than this little quip, “Keeping with our disclosure policy, we do not report bugs to Apple.” Apple has had a long history of bad dealings with security researchers, and they are now seeing a backlash amongst the security community. No surprises though, you get what you ask for. It pays not to make enemies in this business.
June 12th, 2007 at 9:05 pm
Yes, that was funny yesterday: A german it-news page told something like “Wow, Safari on windows now, very cool, very fast” and only a few hours later there was a second article like “uuurgh, Safari on windows: Many Bugs, it suxx”
June 12th, 2007 at 9:06 pm
Hahah.. funny… Matasano had a rebuttal to Dave’s anti-Apple disclosure policy here: http://www.matasano.com/log/880/safari-vs-maynor-dogs-and-cats-living-together-mass-hysteria/
June 12th, 2007 at 10:00 pm
From the apple website…
12 reasons you’ll love Safari.
1. Blazing Performance
2. Elegant User Interface
3. Easy Bookmarks
4. Pop-up Blocking
5. Inline Find
6. Tabbed Browsing
7. SnapBack
8. Forms AutoFill
9. Built-in RSS
10. Resizable Text Fields
11. Private Browsing
12. Security
And another quote: “Apple engineers designed Safari to be secure from day one.”
June 12th, 2007 at 11:32 pm
Tarradog, I suppose this really shows pdp is right.
Security should be reactive and there is no such thing as secure out of the box or being designed for security.
Anyways, I installed Safari when it came to windows recently…then uninstalled it 15 minutes later.
June 12th, 2007 at 11:50 pm
SDLC and Apple aren’t friends at the moment.
It’s sad when the marketing department controls releases
June 13th, 2007 at 12:23 am
I am not an apple/safari user or anything but it seems that the security of an application relies on the running OS. Memory Corruption and possible Exploitation may very well be caused by the fact that safari is running for the first time in Windows and apple doesn’t understand Windows (hell, even Microsoft does not understand Windows). There may be some issues developers must get familiar with.
Security holes cannot be detected during a normal beta testing.
Is it possible to reproduce any of these vulnerabilities on MAC OS X?
June 13th, 2007 at 12:35 am
I watched the highlights from Steve Jobs’ speech about Safari’s coming release the other day, and thought, “Just another application to have to worry about in the cross-browser exploitation efforts.”
June 13th, 2007 at 12:57 am
Legionnaire, from what it looks like, yes
June 13th, 2007 at 2:46 am
Leggionaire,
you should notice: “These bugs have been verified in the current PRODUCTION copy on OSX (Safari 2.0.4).” (http://erratasec.blogspot.com/2007/06/niiiice.html)
June 13th, 2007 at 3:33 am
Kyran, I planned on installing it to give it a test but never got around to it. Don’t think I’ll bother anymore.
June 13th, 2007 at 5:25 am
“they are now seeing a backlash amongst the security community.”
Oh, I don’t know, I think the intelligent among us realize that any beta software is going to have problems, and that anything the release from now until the end of time will be scrutinized by Maynor, at first to the benefit of more secure code, and then over time to the detriment of vulnerability research as he becomes a tired, squeaky wheel, screaming “hey, look at me, I found another Apple bug” every time the release cycle comes around.
I’m not stupid enough to believe that we, in security, have carte blanche to sit back and myopically focus on our own subculture without considering the larger IT picture. Take Safari, for example! There’s no doubt that Konquerer became a better browser after Apple contributed code and eventually hired Hyatt. With moves like that, Apple’s bought a lot of goodwill since 2000 - and it’s going to take more than an attention whore with one bad experience at the peak of blogdom to overcome that equity.
June 13th, 2007 at 6:01 am
I’ve found some more bugs in HTTP-Auth.
For those who can read German go here: http://www.bitsploit.de/archives/435-HTTP-Auth-Bugs-in-Apples-Safari-3-Beta-Windows.html
And for those who can’t read German go here and watch the images only:
http://www.bitsploit.de/archives/435-HTTP-Auth-Bugs-in-Apples-Safari-3-Beta-Windows.html
June 13th, 2007 at 8:27 am
+ no cross-domain protection:
http://alt.swiecki.net/safc.html
That’s a Secure browser!
June 13th, 2007 at 10:32 am
Well security is a broad term, I mean usage of crypto is security. So the marketing is not wrong, they just don’t mean the kind of security we do. It’s good to see that the bugs get found in the beta, so the final will be a little more secure :).
June 13th, 2007 at 2:46 pm
By Daniel: “SDLC and Apple aren’t friends at the moment.
It’s sad when the marketing department controls releases”
@Daniel : Isn’t that how most of the software industry works! :)Release deadlines are far more important than…uh…well…security!
June 13th, 2007 at 5:21 pm
I’ve never seen such easy denial of service (null pointer) vulnerability:
http://www.rec-sec.co.il/2007/06/12/apple-safari-for-windows-vulnerabilities/#exp
Safari should stay on Mac.
June 13th, 2007 at 5:38 pm
InfoSec Sellout is David Maynor’s Big Hairy Daddy With A Muscle Shirt On:
http://infosecsellout.blogspot.com/2007/06/what-is-worse-than-fuzzing-browser.html
June 13th, 2007 at 6:37 pm
“The first was Dave Maynor’s full disclosure ”
“Full” disclosure? I’m sorry, I didnt realize we’ve redefined the word full to mean selective.
“It pays not to make enemies in this business.”
Or not. If Errata hopes to sell their services to anyone, they might want to rethink what comes off as a very childish attitude towards disclosure.
June 13th, 2007 at 7:09 pm
I had no idea what an emotional issue this was. Eesh!
@Phil - any idea who infosecsellout is? Funny blog.
@Chris_B - I’m not sure what you mean by selective. Do you mean because they don’t post about other people’s vulns? To that, I cannot comment because I don’t know much about what they don’t post. However, I do know if you treat others badly they tend to not want to work well with you. I agree though that although amusing, it’s probably not great for his reputation.
June 14th, 2007 at 5:43 am
@RSnake: I know who infosecsellout is, and it is quite obvious from one of his recent posts. He also runs another excellent blog.
June 15th, 2007 at 10:24 am
not surprising, it is on windows after all. Vunerability is built right in to the OS.