Cenzic 232 Patent
Paid Advertising
web application security lab

Sad Day for Safari On Windows

In the last day there has been a number of vulnerabilities disclosed by researchers against the newly released Safari for Windows. The first was Dave Maynor’s full disclosure then came Aviv Raff’s disclosure and finally today Thor Larholm disclosed his vulnerability. Thor’s is probably furthest along in being an actual working exploit. Not a good day for Safari.

Probably the most interesting part of this is Dave Maynor’s reasons for going Full Disclosure. He doesn’t talk about it much on his blog, other than this little quip, “Keeping with our disclosure policy, we do not report bugs to Apple.” Apple has had a long history of bad dealings with security researchers, and they are now seeing a backlash amongst the security community. No surprises though, you get what you ask for. It pays not to make enemies in this business.

21 Responses to “Sad Day for Safari On Windows”

  1. Michael Schramm Says:

    Yes, that was funny yesterday: A german it-news page told something like “Wow, Safari on windows now, very cool, very fast” and only a few hours later there was a second article like “uuurgh, Safari on windows: Many Bugs, it suxx” :)

  2. RSnake Says:

    Hahah.. funny… Matasano had a rebuttal to Dave’s anti-Apple disclosure policy here: http://www.matasano.com/log/880/safari-vs-maynor-dogs-and-cats-living-together-mass-hysteria/

  3. TarraDog52 Says:

    From the apple website…

    12 reasons youíll love Safari.
    1. Blazing Performance
    2. Elegant User Interface
    3. Easy Bookmarks
    4. Pop-up Blocking
    5. Inline Find
    6. Tabbed Browsing
    7. SnapBack
    8. Forms AutoFill
    9. Built-in RSS
    10. Resizable Text Fields
    11. Private Browsing
    12. Security :D

    And another quote: “Apple engineers designed Safari to be secure from day one.”

  4. Kyran Says:

    Tarradog, I suppose this really shows pdp is right.
    Security should be reactive and there is no such thing as secure out of the box or being designed for security.

    Anyways, I installed Safari when it came to windows recently…then uninstalled it 15 minutes later.

  5. Daniel Says:

    SDLC and Apple aren’t friends at the moment.

    It’s sad when the marketing department controls releases

  6. Legionnaire Says:

    I am not an apple/safari user or anything but it seems that the security of an application relies on the running OS. Memory Corruption and possible Exploitation may very well be caused by the fact that safari is running for the first time in Windows and apple doesn’t understand Windows (hell, even Microsoft does not understand Windows). There may be some issues developers must get familiar with.

    Security holes cannot be detected during a normal beta testing.

    Is it possible to reproduce any of these vulnerabilities on MAC OS X?

  7. Awesome AnDrEw Says:

    I watched the highlights from Steve Jobs’ speech about Safari’s coming release the other day, and thought, “Just another application to have to worry about in the cross-browser exploitation efforts.”

  8. Daniel Says:

    Legionnaire, from what it looks like, yes

  9. Michael Schramm Says:

    Leggionaire,

    you should notice: “These bugs have been verified in the current PRODUCTION copy on OSX (Safari 2.0.4).” (http://erratasec.blogspot.com/2007/06/niiiice.html)

    :)

  10. TarraDog52 Says:

    Kyran, I planned on installing it to give it a test but never got around to it. Don’t think I’ll bother anymore.

  11. Nigel Mellish Says:

    “they are now seeing a backlash amongst the security community.”

    Oh, I don’t know, I think the intelligent among us realize that any beta software is going to have problems, and that anything the release from now until the end of time will be scrutinized by Maynor, at first to the benefit of more secure code, and then over time to the detriment of vulnerability research as he becomes a tired, squeaky wheel, screaming “hey, look at me, I found another Apple bug” every time the release cycle comes around.

    I’m not stupid enough to believe that we, in security, have carte blanche to sit back and myopically focus on our own subculture without considering the larger IT picture. Take Safari, for example! There’s no doubt that Konquerer became a better browser after Apple contributed code and eventually hired Hyatt. With moves like that, Apple’s bought a lot of goodwill since 2000 - and it’s going to take more than an attention whore with one bad experience at the peak of blogdom to overcome that equity.

  12. Alex Says:

    I’ve found some more bugs in HTTP-Auth.
    For those who can read German go here: http://www.bitsploit.de/archives/435-HTTP-Auth-Bugs-in-Apples-Safari-3-Beta-Windows.html

    And for those who can’t read German go here and watch the images only: ;)
    http://www.bitsploit.de/archives/435-HTTP-Auth-Bugs-in-Apples-Safari-3-Beta-Windows.html

  13. lpilorz Says:

    + no cross-domain protection:
    http://alt.swiecki.net/safc.html

    That’s a Secure browser!

  14. Remco Says:

    Well security is a broad term, I mean usage of crypto is security. So the marketing is not wrong, they just don’t mean the kind of security we do. It’s good to see that the bugs get found in the beta, so the final will be a little more secure :).

  15. Mephisto Says:

    By Daniel: “SDLC and Apple arenít friends at the moment.

    Itís sad when the marketing department controls releases”

    @Daniel : Isn’t that how most of the software industry works! :)Release deadlines are far more important than…uh…well…security!

  16. g0d Says:

    I’ve never seen such easy denial of service (null pointer) vulnerability:
    http://www.rec-sec.co.il/2007/06/12/apple-safari-for-windows-vulnerabilities/#exp

    Safari should stay on Mac.

  17. Phil Estien Says:

    InfoSec Sellout is David Maynor’s Big Hairy Daddy With A Muscle Shirt On:

    http://infosecsellout.blogspot.com/2007/06/what-is-worse-than-fuzzing-browser.html

  18. Chris_B Says:

    “The first was Dave Maynorís full disclosure ”

    “Full” disclosure? I’m sorry, I didnt realize we’ve redefined the word full to mean selective.

    “It pays not to make enemies in this business.”

    Or not. If Errata hopes to sell their services to anyone, they might want to rethink what comes off as a very childish attitude towards disclosure.

  19. RSnake Says:

    I had no idea what an emotional issue this was. Eesh!

    @Phil - any idea who infosecsellout is? Funny blog.

    @Chris_B - I’m not sure what you mean by selective. Do you mean because they don’t post about other people’s vulns? To that, I cannot comment because I don’t know much about what they don’t post. However, I do know if you treat others badly they tend to not want to work well with you. I agree though that although amusing, it’s probably not great for his reputation.

  20. ntp Says:

    @RSnake: I know who infosecsellout is, and it is quite obvious from one of his recent posts. He also runs another excellent blog.

  21. kev Says:

    not surprising, it is on windows after all. Vunerability is built right in to the OS.