Trouble in Paradise: Security Experts Find Multiple Bugs in Apple's Safari

In the now-classic Apple (AAPL) commercials, Mac Guy occasionally remarks to PC Guy that Macs don't have the security Relevant Products/Services problems of PCs. But now, Mac Guy might have PC Guy's problems. Within hours of Monday's announcement that Safari 3 beta was available for Windows, three security blogs identified vulnerabilities in the Apple-made browser.

While Apple's marketing information suggests Safari has been "designed to be secure from day one," security experts Aviv Raff, David Maynor, and Thor Larholm found otherwise -- in some cases simply by opening a malicious Web site in Safari.

Bloggers Unveil Issues
Writing on the Errata Security blog, David Maynor said on Monday that using "publicly available tools," he and associates found "six bugs in an afternoon; four DoS and two remote code execution bugs." DoS refers to a denial-of-service attack in which packets of data can overwhelm and then crash a computer.

The bugs work not only on the Windows version of Safari, Maynor wrote, but also on the version for Apple's OS X. "Same code base for a lot of stuff," he said.

Maynor said that his disclosure policy was to "give vendors as long as they need to fix problems." But "if the vendor is unresponsive" or makes threats, he wrote, after 30 days he will release the full details. In any case, he said, the information on the vulnerabilities will not be sold to a third party.

Thor Larholm, on his blog Larholm.com, wrote today that, within two hours of downloading, installing, and using Safari for Windows, he found a "fully functional command execution vulnerability, triggered without user interaction simply by visiting a Web site."

He pointed out that Safari was originally designed for tight integration with OS X, but "the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur." When Apple released Safari for Windows, he noted, the company neglected to implement Windows-specific URL protocol handlers. The result is that a malicious user can "break out of the intended confines and wreak havoc."

On his blog, aviv.raffon.net, Aviv Raff said that he found "memory corruption" that "might be exploitable," although he added that he'll "have to dig more to be sure of that."

Hackers have long wanted to get their hand on the iPod and you can bet the iPhone is just too tempting for them. With the planned integration between the browser and the devices, the security breaches in Safari will open that door. How long before Microsoft's (MSFT) PC guy has his own commercial out there?

Comments

[Jon T:]

Safari 3 is 'beta' software, and this is exactly the process that should take place to close the loopholes. Why do you and others hold Apple up to completely different standards to others?

Compare this beta with Windows XP and Internet Explorer where holes are STILL being found - after being out of beta for 5 years!

And as for Maynor, for him to be throwing threats around is a bit much to stomach. He was the man with the fraudulent and misleading MacBook Airport vulnerability - that wasn't Airport.

2007 Jun 14 05:10 AM

[Julian Ivan...:]

Todd,

sigh..wordsfailme.Ihav...

2007 Jun 14 05:12 AM

[Dan Poarch:]

Another sad rehash of other people's journalism. Why Apple couldn't have run Safari past these guys a week before release is beyond me, I do consider it an issue that it was released with these holes. However, it's beta, and it's probably still more stable than the Windows environment that it exists in. Remeber that people are out to prove Apple vulnerable, and it is, anyone computer is, but they can get away with this because Windows vulnerabilities are a given.

2007 Jun 14 09:59 AM

[Lucmee:]

B-E-T-A

You classic apple bashers will jump on anything to prove your narrow minded points. Pay attention! Do you know what Beta's are for?... Apparently not. Why do you think Apple is putting it out there? Why do you expect a beta release to have no holes in it?... OH YEAH!... Because Apple doesn't release Junk! By the time the non beta version is released... It will be as secure as the Mac version. Not perfect... But better out of the box than IE is in it's 7th incarnation. Let's keep a running tab of how many bugs and holes are found in toto before the full version comes out.

Oh you silly boy...

2007 Jun 14 12:33 PM