Posted on 06/13/2007 2:05:03 PM PDT by PajamaTruthMafia
Safari Security Claims Ignite Controversy Security researchers have already found eight bugs in the Windows version of Safari Apple released on Monday. They're blaming Apple's "hostile attitude towards security researchers" for the problems.
Just hours after Apple Inc. released a Windows version of Safari on Monday, security researchers had uncovered more than half a dozen vulnerabilities in the browser beta, including at least three that could let attackers grab complete control of the PC.
PC World's Erik Larkin isn't surprised that Safari would become a security risk. But Apple's claims about the new browser's security have touched a nerve with security researchers: Two of the researchers blamed Apple's "false claims" about security and what they called its "hostile attitude" toward bug finders for the rush to dig up flaws.
First off the mark was David Maynor of Errata Security, who posted notice of a bug about two hours after Apple made Safari 3 available for Windows. By the end of the day, Maynor had racked up six bugs. Four could be exploited to crash the browser and/or PC in a denial of service; the other two, Maynor claimed, were remote execution vulnerabilities.
Maynor, who clashed with Apple over a demonstration of a wireless hack on a MacBook at last summer's Black Hat security conference, didn't hesitate to take a shot at the Cupertino, Calif. company. "I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."
Shortly after Maynor posted his first bugs, Aviv Raff, an Israeli security researcher noted for his contributions to last July's "Month of Browser Bugs" project, announced he had found a flaw, too. "I found it using a fuzzer tool, Hamachi, that was developed by HD Moore and I," Raff said in an instant message interview. "This is a memory corruption vulnerability, which is potentially exploitable for remote code execution."
Danish researcher Thor Larholm wrapped up Safari's opening day with the most damaging disclosure of all: a remote execution vulnerability accompanied by proof-of-concept exploit code. That code -- Windows Safari users can click here for a demo -- could be used to hijack the PC, said Larholm, who plucked the vulnerability from the browser and built the exploit in just two hours.
He laid part of the blame on Apple's inexperience in writing code for Windows. "On OS X, Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on Windows, namely intimate operating system knowledge," said Larholm. "The integration with the original operating system is tightly defined, but [that] knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.
"[For example] you can still find references to the OS X proprietary URL protocols "open-help-anchor:" and "network-diagnostics:" inside the resource files for the Windows release [of Safari]."
Bugs are not unknown to Apple. Other applications available to Windows users, the QuickTime media player and the iTunes music store software, have been patched several times. Four fixes for QuickTime, two last month alone, have been issued by Apple this year. In March, Apple updated iTunes so it would work more smoothly with Windows Vista.
Even so, the number of vulnerabilities discovered in Safari's debut day was stunning. Aviv Raff had an explanation. "My guess is that it's because of Apple's issues with security researchers and the false claims that their products are far more secure than others," he said.
Larholm agreed. "Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser."
Maynor, who until last summer worked as a senior researcher for SecureWorks Inc., did not need to spell out his position. After he and colleague "Johnny Cache" demoed a MacBook hack prior to Black Hat, both Apple and Mac bloggers criticized the pair for either faking the hack or obfuscating its true nature. Maynor and Cache stood behind their claim. Several months later, Apple quietly patched the wireless drivers the researchers had used to break into the Mac machine.
On Monday, Maynor spelled out his policy regarding Apple vulnerabilities. "If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor."
Raff summed it up on the posting to his blog. "On the download page [for Safari] Apple writes 'Apple engineers designed Safari to be secure from day one.' I guess we can now call it 'Day zero.'"
Apple officials did not respond to a request for comment.
Isn’t this a beta and not an actual supported release? You expect a lot more bugs in betas. I’m sure they will be gone for the real version.
Exactly ... it is a matter of numbers and intent.
“Even with all that, there hasn’t been a real in-the-wild computer-being-taken-over-by-something type problem that I recall since the Autostart Worm more than 10 years ago. The solution to that was to check a checkbox to keep executables from automatically starting when you inserted a CD in the CD drive.”
Not true - look at the Metasploit and CANVAS links i posted. That’s not even counting what the bad guys have.
“That ‘vulnerability’ required the user to click on a link that the user had no way to know whether it was trustworthy or not.
Only the stupid do such clicking.”
That’s a silly assumption. Thanks to XSS you can click without clicking, or have a trustworty link rewritten to go to a fake one. Or fall victim to a phishing attack. Calling people who those (and more) things happen to, stupid, is well... uninformed.
I was referring to that particular vulnerability that YOU mentioned. It required the user to purposely click on the link.
At least that’s the way it was described in the tech article I read at the time. Do you have contrary info about that?
No interest at all in all those UNIX servers either I guess. The U.S. Army Switched to Apache running on OSX and haven't been hacked since.
“At least that’s the way it was described in the tech article I read at the time. Do you have contrary info about that?”
Search the thread for ‘metasploit’ and you’ll find the post with links to actual remote exploit code for macs.
These are remote listening network services.
Some of them are 3rd party apps... too bad they didn’t enable the NX bit.
“No interest at all in all those UNIX servers either I guess. The U.S. Army Switched to Apache running on OSX and haven’t been hacked since”
You don’t know that for sure.
I an sure many have tried to tried to rob Fort Knox, well haven't they? Uh, never mind.
PS I don't need your expensive expertise to keep my Mac's running, that is what really gets the goat of all you IT Pros, fess up. Stay with the platform that makes you the money.
Yep, you are correct in that the kernal is UNIX, a fact that most OS X users forget about. You would be wrong about UNIX hacks in the DOD...can’t go into detail but you are wrong. We have RCERT in here more often then not......The Army still has a long way to go.
Dude, I could care less what you use....just don’t feed me a line of bullcrap about its security when those in the industry know different. It makes you look.....uninformed.
First, you’re changing the subject from the challenge I posted to you.
Second, none of those is current, and none of them broke out into the wild, so what’s the point?
The MacBook Pro that the thread was originally talking about was set up with none of the available security devices enabled, and there were tons of hackers trying to beat its doors down, yet it took a very long time for it to be opened up, and even then, the rules of the challenge needed to be broken in order for the guy to get in.
Come on.
“First, you’re changing the subject from the challenge I posted to you.”
What challenge?
“Second, none of those is current, and none of them broke out into the wild, so what’s the point?”
The one supported by ImmunitySec is current. They were all in the wild - those are actual exploit code.
There’s a difference between an exploit and a worm or virus. They can use one to spread. In these cases no one cared enough to write one. I’m not sure what your point is here other than to carry the water for Jobs.
You claimed in post #11 that Apple has falsely claimed these problems were nothing but hot air. I challenged you to give examples of that.
So far, you haven’t posted a single claim by Apple that any of these reported exploits were merely hot air.
It’s simple: If you can’t back that claim up with quotes from Apple, then you’re full of hot air with that wild claim.
‘You claimed in post #11 that Apple has falsely claimed these problems were nothing but hot air. I challenged you to give examples of that.’
Here is what I really said:
“Remember, people have claimed a lot of bugs with OS X before that Apple falsely claimed to be a lot of hot air.”
I answered you back in post #48
Dave Maynor who is in this article and the apple wifi driver vulns Apple claimed not to exist... and then patched.
Microsoft used to really be a joke but they’ve really improved their software development lifecycle in terms of security. If you want to learn more look for any book by Michael Howard.
You didn’t answer in #48. You haven’t quoted Apple saying anything of the sort. Rather, you are relying on the PC Magazine author to be accurate in his characterization of official Apple responses to Maynor.
His hack was the same event I mentioned in my previous post, isn’t it? After many hours and many failures, they changed the rules of the challenge in order to break into the MacBook Pro, right? And the exploit did require user intervention to trigger it, right?
“You didn’t answer in #48. You haven’t quoted Apple saying anything of the sort. Rather, you are relying on the PC Magazine author to be accurate in his characterization of official Apple responses to Maynor.
His hack was the same event I mentioned in my previous post, isn’t it? After many hours and many failures, they changed the rules of the challenge in order to break into the MacBook Pro, right? And the exploit did require user intervention to trigger it, right?”
No, I said it based on personal knowledge of the situation, and that’s all I have to say about that. :)
I was referring to MAYONR’s bug, the wifi driver issue. Not the Quicktime issue discovered by Dino Dai Zovi.
Interview
http://blogs.zdnet.com/security/?p=176
Some of his other Apple exploits:
http://www.theta44.org/research.html
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.