Posted on 06/13/2007 2:05:03 PM PDT by PajamaTruthMafia
Safari Security Claims Ignite Controversy Security researchers have already found eight bugs in the Windows version of Safari Apple released on Monday. They're blaming Apple's "hostile attitude towards security researchers" for the problems.
Just hours after Apple Inc. released a Windows version of Safari on Monday, security researchers had uncovered more than half a dozen vulnerabilities in the browser beta, including at least three that could let attackers grab complete control of the PC.
PC World's Erik Larkin isn't surprised that Safari would become a security risk. But Apple's claims about the new browser's security have touched a nerve with security researchers: Two of the researchers blamed Apple's "false claims" about security and what they called its "hostile attitude" toward bug finders for the rush to dig up flaws.
First off the mark was David Maynor of Errata Security, who posted notice of a bug about two hours after Apple made Safari 3 available for Windows. By the end of the day, Maynor had racked up six bugs. Four could be exploited to crash the browser and/or PC in a denial of service; the other two, Maynor claimed, were remote execution vulnerabilities.
Maynor, who clashed with Apple over a demonstration of a wireless hack on a MacBook at last summer's Black Hat security conference, didn't hesitate to take a shot at the Cupertino, Calif. company. "I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."
Shortly after Maynor posted his first bugs, Aviv Raff, an Israeli security researcher noted for his contributions to last July's "Month of Browser Bugs" project, announced he had found a flaw, too. "I found it using a fuzzer tool, Hamachi, that was developed by HD Moore and I," Raff said in an instant message interview. "This is a memory corruption vulnerability, which is potentially exploitable for remote code execution."
Danish researcher Thor Larholm wrapped up Safari's opening day with the most damaging disclosure of all: a remote execution vulnerability accompanied by proof-of-concept exploit code. That code -- Windows Safari users can click here for a demo -- could be used to hijack the PC, said Larholm, who plucked the vulnerability from the browser and built the exploit in just two hours.
He laid part of the blame on Apple's inexperience in writing code for Windows. "On OS X, Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on Windows, namely intimate operating system knowledge," said Larholm. "The integration with the original operating system is tightly defined, but [that] knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.
"[For example] you can still find references to the OS X proprietary URL protocols "open-help-anchor:" and "network-diagnostics:" inside the resource files for the Windows release [of Safari]."
Bugs are not unknown to Apple. Other applications available to Windows users, the QuickTime media player and the iTunes music store software, have been patched several times. Four fixes for QuickTime, two last month alone, have been issued by Apple this year. In March, Apple updated iTunes so it would work more smoothly with Windows Vista.
Even so, the number of vulnerabilities discovered in Safari's debut day was stunning. Aviv Raff had an explanation. "My guess is that it's because of Apple's issues with security researchers and the false claims that their products are far more secure than others," he said.
Larholm agreed. "Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser."
Maynor, who until last summer worked as a senior researcher for SecureWorks Inc., did not need to spell out his position. After he and colleague "Johnny Cache" demoed a MacBook hack prior to Black Hat, both Apple and Mac bloggers criticized the pair for either faking the hack or obfuscating its true nature. Maynor and Cache stood behind their claim. Several months later, Apple quietly patched the wireless drivers the researchers had used to break into the Mac machine.
On Monday, Maynor spelled out his policy regarding Apple vulnerabilities. "If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor."
Raff summed it up on the posting to his blog. "On the download page [for Safari] Apple writes 'Apple engineers designed Safari to be secure from day one.' I guess we can now call it 'Day zero.'"
Apple officials did not respond to a request for comment.
Hmm.. I thought Apple software didn’t have bugs.
Pfft. Ok.
“Larholm agreed. “Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser.””
The popular attitude of some pro-Mac folks is that there are no security risks associated with Macs.
Let’s also not forget that this is a *Beta* version of Safari/Windows.
Or should I mention all the bugs that are in the *release* version of IE?
Lousy? Hm. Please name one exploit of OS X that has been found in the wild.
I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."
I will believe it when someone else confirms it (i.e., peer review).
Remember, people have claimed a lot of bugs with OS X before that have turned out to be a lot of hot air.
Do you work for Norton by chance? Just asking because this is the most blatant nonsense I have ever seen posted about OS X. I will email you my Static IP address and challenge you to get into my mac if you want to prove your statement.
I installed Safari on my Vista desktop and XP laptop the day it was released. I’m using Safari right now on my laptop, nice program, but not nearly as customizable as IE or Firefox. I had to uninstall it from my Vista machine as it would not display any text in the title bar, address bar, drop down menus or even on the web page. definitely buggy.
As a computer security professional I just have to chuckle about all the Mac user claims of security. The fact is there is not one single computer anywhere this isn’t vulnerable to exploitation. One of the main reasons there is so much focus on Microsoft products is the fact that they are so prevalent. If someone is in the business of exploiting machines, the best platform to concentrate on is obviously MS products just because of the shear numbers. If the numbers were reversed, I’m sure that Macs would be victimized just as easily. If any of you Mac users think you are invincible, you obviously haven’t seen the number of exploits available to hackers\malicious software for the Mac platform.
That’s why they call it a beta version.
I won’t be getting it until it goes final and probably, also, one revision past final. Then it will be stable and holes will be plugged.
Windows hasn’t had a Safari browser before and thus it will always have bugs when it’s first worked out in a new OS environment (i.e., Windows).
It’s going to be necessary for Safari on Windows because of Safari being necessary for the iPhone and how developers will be able to work with iPhone. Thus, they are coming out with it now, to get ready for it.
It’s not just going to be Apple Macintosh people who get iPhones, but Windows people who get it, too.
Regards,
Star Traveler
Apple software doesn’t have bugs, they are “New Apple ‘Jobs,’” users will have to pay Apple for to get fixed.
I believe you are correct. Macs make up something like 4.5% market share of all computers in the USA so most hackers aren't going to bother hacking them. The more prevelent they become (if) the more hackers will turn to them. Right now, there just aren't enough out there for the hackers to bother with the effort.
I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."
Also, the tab text and status bar text are too small and don't seem to be scalable. And the gray background color of the tab bar and the status bar is too dark.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.