Posted on 06/13/2007 2:05:03 PM PDT by PajamaTruthMafia
Safari Security Claims Ignite Controversy Security researchers have already found eight bugs in the Windows version of Safari Apple released on Monday. They're blaming Apple's "hostile attitude towards security researchers" for the problems.
Just hours after Apple Inc. released a Windows version of Safari on Monday, security researchers had uncovered more than half a dozen vulnerabilities in the browser beta, including at least three that could let attackers grab complete control of the PC.
PC World's Erik Larkin isn't surprised that Safari would become a security risk. But Apple's claims about the new browser's security have touched a nerve with security researchers: Two of the researchers blamed Apple's "false claims" about security and what they called its "hostile attitude" toward bug finders for the rush to dig up flaws.
First off the mark was David Maynor of Errata Security, who posted notice of a bug about two hours after Apple made Safari 3 available for Windows. By the end of the day, Maynor had racked up six bugs. Four could be exploited to crash the browser and/or PC in a denial of service; the other two, Maynor claimed, were remote execution vulnerabilities.
Maynor, who clashed with Apple over a demonstration of a wireless hack on a MacBook at last summer's Black Hat security conference, didn't hesitate to take a shot at the Cupertino, Calif. company. "I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."
Shortly after Maynor posted his first bugs, Aviv Raff, an Israeli security researcher noted for his contributions to last July's "Month of Browser Bugs" project, announced he had found a flaw, too. "I found it using a fuzzer tool, Hamachi, that was developed by HD Moore and I," Raff said in an instant message interview. "This is a memory corruption vulnerability, which is potentially exploitable for remote code execution."
Danish researcher Thor Larholm wrapped up Safari's opening day with the most damaging disclosure of all: a remote execution vulnerability accompanied by proof-of-concept exploit code. That code -- Windows Safari users can click here for a demo -- could be used to hijack the PC, said Larholm, who plucked the vulnerability from the browser and built the exploit in just two hours.
He laid part of the blame on Apple's inexperience in writing code for Windows. "On OS X, Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on Windows, namely intimate operating system knowledge," said Larholm. "The integration with the original operating system is tightly defined, but [that] knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.
"[For example] you can still find references to the OS X proprietary URL protocols "open-help-anchor:" and "network-diagnostics:" inside the resource files for the Windows release [of Safari]."
Bugs are not unknown to Apple. Other applications available to Windows users, the QuickTime media player and the iTunes music store software, have been patched several times. Four fixes for QuickTime, two last month alone, have been issued by Apple this year. In March, Apple updated iTunes so it would work more smoothly with Windows Vista.
Even so, the number of vulnerabilities discovered in Safari's debut day was stunning. Aviv Raff had an explanation. "My guess is that it's because of Apple's issues with security researchers and the false claims that their products are far more secure than others," he said.
Larholm agreed. "Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser."
Maynor, who until last summer worked as a senior researcher for SecureWorks Inc., did not need to spell out his position. After he and colleague "Johnny Cache" demoed a MacBook hack prior to Black Hat, both Apple and Mac bloggers criticized the pair for either faking the hack or obfuscating its true nature. Maynor and Cache stood behind their claim. Several months later, Apple quietly patched the wireless drivers the researchers had used to break into the Mac machine.
On Monday, Maynor spelled out his policy regarding Apple vulnerabilities. "If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor."
Raff summed it up on the posting to his blog. "On the download page [for Safari] Apple writes 'Apple engineers designed Safari to be secure from day one.' I guess we can now call it 'Day zero.'"
Apple officials did not respond to a request for comment.
And when we have as many people driving saabs as yugos they will be just as safe in a crash...
I agree with you regarding the overwhelming availability of MS vs Mac for targeting. Sure it’s more difficult to attack Macs, but not impossible. One day a very good hacker is going to write some scripts and tools for use against the Mac, and when it happens there will be much wailing and gnashing of teeth by all those Mac users who didn’t practice ANY kind of computer security because they felt safe.
No matter the platform, OS, or other security provided by your network, ALWAYS distrust unknown/unverified information be it an email or a website or anything else.
That is all I’ve been saying....
” Maynor has a personal beef with Apple since his hyped-up OS X wi-fi exploit turned out not to be and he was humiliated in the community. He was unable to put up or shut up.”
That’s the apple fanboy take. Apple patching the holes he described months later validated him.
Maynor is one of the best vulnerability researchers out there. Sure he has a beef with Apple - they lied about what he found.
The same happened to me in the past - I found a serious remote vulnerability in VERY popular browser plugin that allowed an attacker to take full control of the desktop PC. The vendor refused to admit it or fix it. I released it to Bugtraq. Then they lied to CNET reporters about the impact, silently patched it, and never notified their customers to update. This was back in 99. It happens!
No, that's the truth. While Maynor knew it was a general platform-agnostic issue, he portrayed it as a problem with Apple and used a third-party wireless card in order to do the exploit. Admittedly, Apple's response was overblown too. They could have handled it better. But Maynor, while being very talented, didn't handle it well either.
Apple later fixed some bugs in wireless, including relating to -- oh my gosh -- third-party wireless drivers. That Apple didn't give any credit is strange, as giving credit is the usual practice.
Does Firefox out of the box, so to speak, not connect automatically to the BBC through “live bookmark”?...
I don't recall. In fact, Firefox has occasionally tried to connect to the net at start-up, but most of the time, it doesn't. But check my post #53 on this thread: I was able to get Safari to stop trying to connect on start-up by telling it to never check for RSS feeds. The "Never" option should be the default, in my view.
No, it isn't and it doesn't.
Maynor's and Ellch's third party card/driver exploit allowed them to get into an administrator level account which had a root enabled terminal already activated and modify a file. They already knew the user name and password for the invaded account. The MacBook had been pre-loaded with a script and prepared for their access which demotes this "exploit" to a local trust issue in that a local user HAD to have access prior to the remote exploit to set up the target computer. Given that they had to install the USB WiFi card, install the third party drivers (ignoring the already factory installed card and drivers from Apple), and install their scripts, it is impossible to know what other modifications they made to the MacBook including opening ports that are normally closed on a default Mac. What they demonstrated was a failing of a card/driver combination that would never have been used on a Mac in an artificial environment.
What Apple found and patched were errors in the drivers supplied by their card/driver supplier which uses an entirely different chip set than the card Maynor and Ellch used in their hoax. The glitches Apple found in their drivers were Denial of Service crashes of the network due to buffer overflows in a non-executable buffer. In other words, WiFi crashed and there was no longer any connection to the computer. These DoS vulnerabilities would not have allowed remote user access such as the exploit Maynor and Ellch showed.
Maynor and Ellch claimed, but never demonstrated, that their exploit would also work with the factory supplied and installed Apple AirPort card and drivers. There explanation for using an external USB WiFi card third party drivers was that Apple had "leaned on them to not use a Mac laptop to demonstrate this general vulnerability that would hit PCs as well" and that the external card and non-Apple drivers were their compromise to please Apple. Right. Sure. Obviously it didn't please Apple.
When challenged to duplicate their stunt under controlled conditions on an out of the box, brand new MacBook, neither Maynor nor Ellch were willing to do so, even though, had they done so, they could have walked away with a brand new MacBook. That challenge is still open. If they could do it with the vulnerabilities Apple reported, they could still have the MacBook.
As for not giving credit when credit is due for reporting Apple security flaws, if you go back through Apple's security updates you will find they have never failed to credit the people who found and reported the issues.
Since Maynor and Ellch did NOT provide Apple with any evidence, ignored the well established routine for reporting security issues to any publisher/manufacturer, and went instead for the hype (". . . stick a lit cigarette in Mac users' eyes. . ."), the only credit Maynor and Ellch are due is that their stunt caused Apple to do a top to bottom security audit of their default Wifi looking for the claimed vulnerability. They did not find what Maynor and Ellch claimed was possible... but they did find and patch some potentially irksome, unexploited vulnerabilities in their drivers.
SecureWorks, the company Maynor worked for, found it necessary, when Maynor could not produce evidence of his prior notification to Apple of his findings OR of Maynor's and Ellch's claim that Apple had LEANED on them to not use a MacBook's native card and drivers, to issue a disclaimer. Maynor shortly thereafter found himself at liberty to start his own security company because he no longer worked for his previous employer. Is it just coincidence that Maynor chose to leave his job just weeks after this scandal broke? I think not.
See my previous post above.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.