Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

yellow

Moderator emeritus
Original poster
Oct 21, 2003
16,018
6
Portland, OR
http://blogs.zdnet.com/security/?p=286

June 12th, 2007
Remote exploit released for brand-new Safari for Windows

Posted by Ryan Naraine @ 5:55 am

Security researcher Thor Larholm has found what might be the first remote code execution vulnerability in Apple’s shiny new Safari for Windows.

Larholm (left) has released an advisory with proof-of-concept code to demo the vulnerability, which can be used to take complete control of a Windows PC if the user simply surfs to a Web page.

Click here for a demo of the flaw [removed -yellow], which triggers a Safari crash and bounces through Firefox via the Gopher protocol.

Larholm explains:

The logic behind this vulnerability is quite simple and the vulnerability class has been known and understood for years, namely that of protocol handler command injection. A browser typically consists of a multitude of different URL schemes, some of which are handled by internal functions and others that are handed off to external applications. On the OS X platform Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on the Windows platform, namely intimate operating system knowledge. The integration with the originally intended operating system is tightly defined, but the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.

Although the proof-of-concept exploit is launched via Firefox installed on the victim machine, Larholm makes it clear that this is a problem in Safari for Windows. In an interview over IM, he said he did not test the exploit on the Mac OS X platform.

It is important to know that, even though this PoC exploit uses Firefox, the actual vulnerability is within the lack of input validation for the command line arguments handed to the various URL protocol handlers on your machine. As such, there are a lot of different attack vectors for this vulnerability, I simply chose Firefox and the Gopher URL protocol because I was familiar with these.

Larholm isn’t the only hacker pounding on the new browser. Within hours of the beta release, two researchers — David Maynor and Aviv Raff — used fuzzers to find memory corruption bugs that may be exploitable.

[UPDATE: June 12 2007 @ 9:15 AM]An addendum from David Maynor on his findings:

I’d like to note that we found a total of 6 bugs in an afternoon, 4 DoS and 2 remote code execution bugs. We have weaponized one of those to be reliable and its diffrent that what Thor has found. I can’t speak for anybody else but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well (same code base for a lot of stuff).

Ooops! :)
 
bludy windoze! haha thats really quite funy, you can take the safari out the os, but you cant take the flaws out the os

surprisingly other browsers like fx/opera managed to stay safer.

anyway, welcome to the real world of windows, apple :D good luck stay safe and survive. and lets check back on browser market share in 3 months!
 
Too true.

++: what a great way to get others to find the bugs for you.
--: unfortunately, that becomes cannon fodder for the haters.

please, look at all other browsers.

application bugs can be contributed to "beta"

security holes can not.

excuse will not help.
 

hehe, haters are good compensation for fanboys, put them together, apple can move forward.

and truth to be told, did u find any firefox/opera/IE betao get exploited two hours after release?
 
and truth to be told, did u find any firefox/opera/IE betao get exploited two hours after release?

Not that I remember, which is part of the reason I posted this thread.

Frankly, beta or not, I would have thought that maybe SOMEONE with some salt as a whitehatter would have taken a crack at it before release.
 
Safari Beta Security Slammed; 8 Vulnerabilities Found



Not even a day after Apple unleashed its Safari 3 beta into the wild, security researchers have found a host of security issues for both the Mac OS X and Windows versions.

Security researcher David Maynor (of Black Hat Airport vulnerability fame) details on his blog 6 vulnerabilities, 4 of which were denial of service and 2 were remote code execution. In addition, Maynor claims that one of the bugs found is weaponizable.

Separately, Thor Larholm writes in his blog (which is mentioned by Maynor) another vulnerability involving the Safari beta on Windows, where Safari does not properly validate command-line input. To round out the vunerabilities, Aviv Raff discovered a memory corruption issue that caused Safari on Windows to crash.

In each incident, the researchers seemed to take issue with Apple's claim that "Apple engineers designed Safari to be secure from day one." To be fair, the software is still in beta, although the beta on OS X overwrites the user's previous version of Safari.
 
oh wah wah wah


get over it, oh darn the program isn't "perfect"

and who wastes their time finding insignificant insecurities like these

assuming it's insignificant? hahaha...
 
Hmmm... maybe a web browser is not the best thing to release as beta in today's environment.
 
oh wah wah wah


get over it, oh darn the program isn't "perfect"

and who wastes their time finding insignificant insecurities like these

assuming it's insignificant? hahaha...

I seriously hope you're joking. A few of these were remotely executable, "0-day" flaws. Plus... 8 in one day??? That's getting close to IE 5/6 territory.
 
i d/l the beta and didnt notice any difference in safari itself on OSX. i also got it for windows just to check out. one thing though is my Gmail widget doesnt work anymore... anyone have any ideas about this and could it be something with the beta?
 
its ususable here in windows. it acts like it has no fonts, all the menus are blank and if ya hit the bug key or do anything with the menus it locks up and crashes...ugh:mad:
 
This is upsetting because I wanted to show a non-mac user how great the mac apps are. Oh well, I guess not until beta 2. I agree, go to windows, get a bunch of holes in the app
 
Windows Live Messenger

I use Windows live messenger to chat to all my friends almost everyday so I can't be without it. Unfortunatly the Safari 3 Beta caused Messenger to crash everytime I closed a conversation window so I am back with version 2 - its still great though! I do have the latest version of Messenger btw. Just wondering if anyone else noticed the same problem.
 
Someone must have lied to Steve about just how 'almost-there' this browser is... seriously. BAD.
 
Security issues or not, I'm using it. I just downloaded the beta an hour ago, and it's amazing. The speed is hard to believe. Every slow site now loads lightning fast. Digg's forums used to bring Safari to its knees (sometimes putting up the spinning beach ball for up to a minute) and now there is no lag whatsoever. The find feature is incredible and the Web inspector (which btw does not appear to be available in the Windows version) is the kind of tool any Web developer would kill for.

I think my days of being a Firefox user have just come to an abrupt halt. If only Apple would incorporate the feature from FF where it clears your passwords, cache and history when you quit, it would be perfect.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.