Last week Apple released a huge security update, likely because 7 days later CanSecWest would be hosting its PWN2OWN contest. I wanted to write a blog post then and mention something about the best way to force Apple into releasing patches would be to announce an upcoming exploitation of Apples. It's not just Cansec, but the same thing happened when I announced I'd be publishing the disputed WiFi vulns at Toorcon, they quickly patched the vulns they denied existed. However, I decided to wait on that blog post.
Later in the week I saw Safari update debacle. I wanted to write a blog post about the underhanded padding of their marketshare, and note that Apple just made millions of Windows users less secure now by adding additional insecure code to their machines. However, I decided to wait on that blog post, too.
I decided to wait on writing both these posts because I know that even with the updates that Apple has released for Safari there are still tons of flaws in it that are exploitable and someone would leverage one to win the PWN2OWN contest and walk home with a Macbook Air.
Dave Aitel just reported on DailyDave that Charles Miller won the Macbook Air using a Safari exploit. I would like to note that out of the three machines (OSX, Linux, Vista) OSX was the first to fall. I hope this puts to rest the myth that OSX is more secure but I am sure the zealots will have a million reasons why this is a fixed or rigged contest. The only question I have remaining is who is going to be the first to file a class action lawsuit against Apple on behalf of users who were tricked into installing Safari and are now at risk of compromise? I am not advocating someone do that, I am not fan of needless litigation, but I can already picture the commercials the ambulance chasing lawyers could use.
"Were you tricked into installing Safari by Apple? Have you had any personal data compromised? Call the law firm of Dewey, Cheatem, and Howe!"
The other interesting thing about the updates is something I like to call the "window of owning". I advise our clients on this: Apple bundles open-source, but patches it late. It takes them weeks to as long as a year to patch their version of the code after it was patched in open-source. It's fairly straightforward to keep track of the open-source (and other 3rd party) code that Apple uses it, and when a vulnerability is announced for the open-source version, write exploits for the Mac version.
This "window of owning" is one reason that the update last week was so large. Apple security dug deep and fixed a lot of vulnerabilities that they would normally not bother with in a futile attempt to get OSX through the PWN2OWN contest unscratched.
UPDATE: More info at Security Focus.
UPDATE 2: Some people don't know the screenshot above is from our LookingGlass tool. I added it to show how many unsafe functions are used in Safari as well as the lack of ASLR or NX support. This means that I would wager that a vulnerability in the OSX version of Safari would also work on XP/Vista with a high success rate since Apple does not employ any of the available features to mitigate an attack.
