Monday, June 11, 2007

Niiiice...

**PLEASE DO NOT POST A COMMENT IF ITS ABOUT SAFARI IN BETA**
These bugs have been verified in the current PRODUCTION copy on OSX (Safari 2.0.4).

Apple just released a Safari for Windows beta at http://www.apple.com/safari. Using publicly available tools we had a DoS in no time. Keeping with our disclosure policy, we do not report bugs to Apple.


UPDATE: Whoops, sorry, thats not a DoS, its memory corruption.

UPDATE 2: Per Request....WinDBG output of a new bug. These are popping out like hotcakes.



UPDATE 3:
It appears I am not the only person who had this idea today?
http://aviv.raffon.net/CommentView,guid,54A1DB79-0ECB-4F13-99AE-45BAB70C4256.aspx#a0ac5417-013d-43ae-9abc-7d265113892c

UPDATE 4: Thor Larholm has also found a bug.
http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/

I'd like to note that we found a total of 6 bugs in an afternoon, 4 DoS and 2 remote code execution bugs. We have weaponized one of those to be reliable and its diffrent that what Thor has found. I can't speak for anybody else but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well (same code base for alot of stuff). The exploit is robust mostly thanks to the lack of any kind of adanced security features in OSX, I write about it here.

UPDATE 5: I've been asked what our disclosure policy is. Its pretty simple, in most cases we will give vendors as long as they need to fix problems. If the vendor is unresponsive or make threats, we will give them 30 days then release details. If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pentesting. We do not sell the vulnerabilities to any 3rd party.








60 comments:

c0uchw4rrior said...

Seeing as this report is coming from the infamous Mr. Maynor, I'd like to see the crash dump. jk ;)

Beau Woods said...

My crash tool for Safari on Windows is the bookmarks toolbar. Importing bookmarks crashed the browser as did visiting one of the links. Yeah, this browser is fast loading pages, but it's still pretty buggy. Probably should have been an alpha version, not beta. At about a crash a minute, I don't think the Jobs Spin Machine could consider it more stable than Windows.

Thomas Ptacek said...

Isn't this second bug just a null pointer deref?

David Maynor said...

Yup, we are up to 6 bugs so far. 4 DoS and 2 remote execution. Not bad for an afternoon of idle fuzzing.

random said...

It wont start on my notebook. Keeps crashing after showing a part of the window.

David Sudjiman said...

My Safari crashed after I used it behind Microsoft Proxy. It was exactly after I put my credentials.

Dead_Cabbit said...

Good propaganda for the Mac: tired of bugs and exploits on your Safari for Windows? Get a Mac! :)

Nick said...

Um who cares? Isn't this what beta's are for? to catch most of the bugs??

mark.a.craig said...

How many comments have you censored, I wonder? There's not an ounce of professionalism in any of your behavior or words; it's all the chest-pounding and look-at-me bluster of a twelve-year-old boy struggling with puberty. If you actually desire to be professional, then either shut your damned trap entirely or report the issues the way a professional security researcher would report them... for the betterment of all good folks and not just you.

David Maynor said...

dead_cabbit and nick: the bugs I discovered work on the currently shipping Safari browser on OSX and can be made uber reliable due to the lack of OSX security features.

David Maynor said...

mark.a.craig: Please explain to me the value in reporting vulnerabilities to an organization that treats them as marketing fodder and requires press to fix anything serious in a timely fashion. We are doing the responsible thing: letting everyone know that the vulnerability for marketing fodder will not be tolerated anymore from vendors, in the end their attitude makes the end user unsafe.

Chris Rohlf said...

I can't believe big companies like apple are still releasing software without fuzzing the hell out of it first. This is common sense.

Thor Larholm said...

Great stuff David. It would be nice to have some details that could be independently verified, but I don't want to tell you how to handle your disclosure.

Seeing as this is fuzzing it should be relatively simple for others to discover on their own, which makes you wonder why Apple never bothered to do so.

Seth Fogie said...

With these results...I wonder how well the iPhone's version will fare?

Olethron said...

Nick:
Sortof... With Apple's resources, it's hard to imagine that this many issues ought to have been discovered mere hours after its release...
One gets the feeling it was maybe just lying around needing to be fixed, and they pushed it as a beta to draw more people to the newly-Leopardized-website...

Either way, it's sad to see this happen. It could easily have been avoided.

Walter said...

Its also rediculously heavy on memory while in use, I've noticed some instances of over 125mb of physical memory in use while one browser window is open, that can double when your using multiple tabs.

veggiedude said...

Chris, you don't understand what 'beta' means?

Lukasz said...

Could you check if the bugs are also in Konqueror? It's more or less the same engine AFAIK...

Gila said...

Installed, tried twice to add a bookmark, tried once to open a page, uninstalled. Three crashes in under 5 minutes is ridiculous, even for a beta version. I'll stick with Firefox...

Julio said...

Hello from Spain.

Maybe you will like to know that for Spanish version of Windows (I don't know for other languages), Safari will not render neither italic nor bold characters, and it crashes whenever you try to add a bookmark:

Yahoo in Safari for Spanish WinXP

This means that the rendering engine seems to depend on the system language. Best programming practices!!

Mark said...

GIla,

Yeah cuz we know Firefox has an impeccable track record. Maybe I'm color blind, but I see a lot of red over the passage of time. There is no place to run other then going back to beating the rocks together.

Rhys Kidd said...

David,

Do BOTH of your remote code execution bugs work on Safari 2.0.4 (419.3)? If so, at least one of yours is different to my two (and none of mine are Thors).

It looks like at least 3 firm RCE bugs between yourself, Aviv, Thor and me - possibly more. And then there's the DoS ones...

Daniel Valero said...

Remenber that this is only a beta release. The idea of a beta version is to discover all the bugs before being released as final

Chris Rohlf said...

veggiedude: Yes I know what beta means. I understand its not a final version. And I am certainly not here to discuss SDLC with anyone im just saying before ANY release I would fuzz my product, even though its beta, look at the bottom of this blog entry, see all those links to erattasec's post? Those don't look too good for apple, beta or not.

David Maynor said...

Daniel Valero:
Come on, it says this at the top of the post, IN BIG LETTERS.

**PLEASE DO NOT POST A COMMENT IF ITS ABOUT SAFARI IN BETA**
These bugs have been verified in the current PRODUCTION copy on OSX.

Robert Graham said...

This sort of proves that the reason there are fewer attacks against the Macintosh is not because it's more secure, but because nobody cares. It wasn't until Apple released a Windows version of Safari that hackers cared, and found a bunch of easily discoverable bugs that affect both the Windows and Macintosh.

Whistler40069 said...

wORKed really Well for me last night. The Install slowed down my computer and Right when it opened the browser i had to make it the Highest Priorty.. and it ran Pefectly then. Ive got 1gb of ram and a newer base intel core duo processor on my Lappy. So.. maybe thats why its working for me. Having to make it High Priority sucks but having it Freaking FASTLY Load Gizmodo and other pages I love is Aewsome and then I dont care about that program being in front of the line.

Mark said...

Robert,

One problem I have with the 'less exploits because noone cares' sentiment is the sheer volume of security professionals whose made base camp on OSX for workstation purposes. Something doesn't jive... not that I'm endorsing the OSX security high horse, but surely one cares about their OWN stuff.

John-S said...

You keep saying "production copy" on OS X. How is that? Yes it re-writes the current Safari but ONLY if you go through the trouble of choosing to participate in the BETA. The "beta" is is not available via software update you have to manually find and download it. It should not be considered an update but a "beta" on OS X as far as I have read...

You acknowledge all this prior to downloading here:
http://www.apple.com/safari/download/terms_mac.html

Apple stated it was designed to be secure since day one yes. But they weren't trying to be as cocky as you are making them out to be. They released it as a beta. Not an indestructible commercial copy. If they were trying to be cocky about how great their product was they would have skipped the whole beta thing and just released a final. But they obviously knew their would be bugs to find... hence BETA.

I'm glad their are people like you to help find bugs, exploits, etc but you sound a bit cocky when being unprovoked!

David Maynor said...

John-S:
I am running 2.0.4 on my Mac and it is vulnerable to some of these attacks as well. That is what i ment by production copy.

John-S said...

fair enough. I didn't see that part made clear earlier.

So, it does still seem strange that they find vulnerabilities for safari, quicktime etc all the time. Its not a secret, its in every pc magazine article and on apples website updates area. I mean, obviously we have updates for a reason.

Vulnerabilities are fewer on the mac by hundreds of thousands if not millions but they still do exist. If you would have found these vulnerabilities prior to this conference then you would have probably never made a headline. But since it was a major release on windows it is being blown way out of proportion it seems.

6,7 or 10 vulnerabilities in one day are a big deal yes but they were found in a beta program. How many of those were exploitable in the 2.04 or whatever on OS X? Is that such a big deal/number compared to what is normal with Safari vulnerabilities?

It just seems like you guys are all attacking this comment made by apple WAY too hard for no reason...

Richard said...

hmmm... work just fine for me after a few hours of usage, accept some minor QT plug-ins for some websites. Don't have a problem since installing Safari on my Win XP. Bookmarking, so far OK...

Grail said...

I posted about Safari crashing also. Different error, but frustrating all the same. Yes, I know it's in beta, but beta means not alpha, and usually that means the app opens ... I can't even get to the first web page.

S. Aresman Thomas said...

I discovered a bug involving Google Reader + Safari 3. Whenever I try to use the new email option to email myself a headline Safari crashes - immediately! I haven't try to do this on a windows machine.

-steve

omikron said...

Honestly guys what do you expect from a beta release. You reaction is exactly what Apple expects as they need to refine it before the final release.
Also you have no proof that this actually would happen on Mac OS X.
Even running the best piece of software on a crappy OS (Windows) would lead to some issues...
http://www.mostofmymac.com

Joe said...

John-S,

The problem is that these bugs are EASILY found when looked for. No one disagrees that there are bugs in software, but the problem is that with some simple work and no access to the source code, these glaring bugs were found. Apple should have found these BEFORE releasing the product.

makomk said...

lukasz: as far as I know, Konqueror is pretty well fuzzed by now. (Besides, the code bases are fairly divergent and security holes that affect one often don't affect the other). Last time I ran a few fuzzers over it, it had a couple of DoS bugs, but as far as I could tell they weren't exploitable for anything else.

John-S said...

Joe,

Are the bugs that are EASILY found in the Safari for mac 2.0.4 or are they in the BETA? I'm not clear on which bugs are found in which but if its in the BETA then who cares? They put software in BETA for this Exact purpose.

If not... its still not headline news as far as I'm concerned. Its weds now. How many more vulnerabilities have been found aside from the initial 8 found on the first day?

Sunrays of the World said...

look at the safari's interface. horrible! stone age engraving...

and look at firefox's comfortable on the eyet

and Opera Web Browser v9.2.. its mesmerizing.

Ian said...

Why should Apple expend the resources to find these flaws when guys like you and Thor do it for free?

David Maynor said...

Ian: exactly, thats why we are not reporting our findings. No free QA for them...

HumanJHawkins said...

I notice you found 2 remote execution bugs, but said one of them was "weaponizable". What does that mean?

Specifically, how can one remote execution bug be weaponizable, while the other is not?

Thanks!

Amy said...

David Maynor - still making headlines - I found a link here on Slashdot. Good to see you up and at it. Aren't you glad that you got .Mac from me? Hope you're doing well.

Grega said...

Um... Who cares. We have Firefox or Opera browsers that work. Why would anybody want anything else is beyond me...

tom said...

"Ian: exactly, thats why we are not reporting our findings. No free QA for them..."

So, what exactly is the purpose of finding and publicizing these vulnerabilities without actually telling anyone what the hell they are?

Either you're planing on using them for nefarious purposes, or you're just trying to piss off Apple. Either way it seems pretty unprofessional and immature.

Komail Noori said...

Cool. I like the idea. I will definately try this out.

inurl:.blogspot.com/2007

Blackpool Hotels said...

But more Importing bookmarks crashed the browser as did visiting one of the links. Yeah, this browser is fast loading pages, but it's still pretty buggy

It's all the chest-pounding and look-at-me bluster of a twelve-year-old boy.

Please explain to me the value in reporting vulnerabilities to an organization that treats them as marketing fodder and requires press to fix anything serious in a timely fashion

Posted By Blackpool Hotels
Date: 19th September 2007

u3hfn3kakb said...

Safari on Windows is not just insecure and unstable, it is deliberately deceptive:

When you select the option "Accept Cookies: NEVER", it does not honor that: it stores cookies permanently ANYWAY. (That is why the "show cookies" button is disabled... so you don't notice that you are being lied to). Apple was sued in 2004 for deliberately using an Eminem song in an iTunes commercial after permission had been denied... so the company appears to have an official policy of acting in bad faith. [1]* Apple's "Safari wardrobe malfunction" is likewise deliberate--because if it was not, the "Accept Cookies: NEVER" option would be disabled too (not just the "show cookies" option).

If, by fraudulent labeling, your software claims that it does something which it does not, isn't that false advertising? (And for the purpose of litigation, does it even matter if Apple's false advertising was intended for marketing gains, or for corporate espionage?) It's just not credible that this was a simple mistake--and now that we have prima facie evidence of the company's dishonesty, we have to wonder if Safari is collecting OTHER information about our online activities and transmiting it back to Apple. They could be electronically sifting through all of this to determine who is reading what... or who is talking about what Apple is doing. The possibility is not mere fantasy, because we already learned that Apple's management is psychotically-paranoid about "leaks" when they threatened to sue bloggers and website operators just for talking about what might be included in the next version of MacOS (leopard). [2]*

Apple's management has clearly gone insane: they are overwhelmed with paranoia about software competition, without any justification. What can realistically "compete" with MacOS? Linux? —Different versions of Linux have incompatible applications and installers! That's not a threat. —Windows, then? ...Ridiculous! The basic Windows architecture is fatally-flawed, and Microsoft is too busy trying to fix serious bugs at the most fundamental level of the OS to worry about improving the user-interface in the near-term. Windows dominates the market ONLY because Apple won't license MacOS to PC manufacturers: it is common knowledge that the "appeal" of Windows has always been linked to the freedom to choose a hardware vendor, not any kind of superior technology. Besides, the next Windows release of any significance is years away. As always, it will perform worse and cost more than the previous version (and it will be pathetically unstable). In comparison to the alternatives, MacOS X is already so superior that there is nothing worth hiding about planned improvements... and yet Apple is obsessed with silencing even POSITIVE criticism of it! There is just no polite way to put this: it is absolute madness... and if they are that crazy, there's no telling what else they might do for the sake of this paranoia. Apple sure has some great engineers, but the company's directors have lost their minds, and this Safari browser trickery only serves to underscore the point. Honestly, don't they have anything better to do with their time?!

*[1] www.macobserver.com/article/2004/02/24.16.shtml
*[2] http://apcmag.com/6659/how_apple_controls_the_media_legal_threats_and_bullying

Jesús said...

I dislike apples :)
prefer shashing linux kernel

Gerry said...

I also do dislike Safari

Mariahloc said...

Thanks for the info!

Akif said...

I can't believe big companies like apple are still releasing software without fuzzing the hell out of it first.
http://www.bencehersey.net

webmaster said...

Um who cares?

Isn't this what beta's are for? to catch most of the bugs??

joginder singh punia said...

IF YOU ARE PREPARING FOR A JOB IN .NET,HTML,JAVA,SEO,SQL,PHP,FLASH,TALLY ............. AND OTHER SOFTWARES OR IN IT SECTOR FOR PREPARATION AND GETTING A JOB YOU CAN TAKE HELP FROM http://www.softwareitjob.com

joginder singh punia said...

IF YOU ARE PREPARING FOR A JOB IN .NET,HTML,JAVA,SEO,SQL,PHP,FLASH,TALLY ............. AND OTHER SOFTWARES OR IN IT SECTOR FOR PREPARATION AND GETTING A JOB YOU CAN TAKE HELP FROM www.softwareitjob.com

The Cyber Crime Hack said...

This report is very usefull for me.
Thanks alot man!

Unlock iPhone 3g said...

very useful information. Thanks

Unlock iPhone 3G said...

Wow, great information and it worked a treat for me.. thank you so much

David Goff said...

Thanks! But Safari not so good. )))

saravana kumar said...

Very nice information thanks for sharing..its really know about this...