Apple’s Safari browser for Windows beta, introduced on June 11 at the Apple Worldwide Developers Conference and touted as being “designed … to be secure from day one,” has a minimum of three DoS (denial of service) flaws, two memory corruption bugs, one command execution vulnerability and two remote code execution bugs—one of which has already been weaponized by security researcher Dave Maynor.
Security researchers were finding bugs within two hours of downloading and installing the beta.
“These are popping out like hotcakes,” said Maynor on the Errata blog yesterday.
Six of the bugs were found by Maynor, CTO and founder of Errata Security. Aviv Raff also found a memory corruption flaw, while Thor Larholm found a command execution vulnerability.
“I downloaded and installed Safari for Windows 2 hours ago, when I started writing this, and I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a Web site,” Larholm said in his blog.
Larholm said that the logic behind the code execution flaw, a protocol handler command injection, is “quite simple” and has been known and understood for years.
The vulnerability arose, Larholm said, because Apple neglected to implement a proper level of input validation for specific command line arguments that execute with URL protocol handlers. A typical request for a URL such as myprotocol://someserver.com/someargument can thus be turned into a command line that accepts arbitrary characters that can later be executed.
The resulting command line can’t be executed, as it’s invalid, he said. But Safari doesn’t properly validate the input when those same requests are handled through IFrame elements
This cannot be used to exploit Safari as the command line to be executed is simply invalid. However, Safari does not properly validate the input when these same requests are handled through IFRAME elements. According to Larholm, that will give an attacker everything he or she needs to go after “the entire range of available URL protocol handlers on the Windows platform.” That would include telnet or callto protocols, through which an attacker could pass, unfiltered, any commands.
Larholm has posted PoC (proof of concept code) that attempts an exploit against the gopher:URL protocol handled in Firefox. The PoC exploits Safari by passing through Firefox via the Gopher protocol, launching a command line with any code that’s been passed by the attacker in a call to the process.run method.
Larholm noted that he used Firefox and the Gopher URL protocol because he’s familiar with them but that the vulnerability has to do with lack of input validation for command line arguments handed to URL protocol handlers.
“As such, there are a lot of different attack vectors for this vulnerability,” he said.
Many are raising the point that these bugs were found in a beta—hardly surprising. Maynor, however, points out that his six bugs also work on the production copy of OSX, which lacks “any kind of advanced security features.”
Indeed, Maynor slapped around the Apple fan base back in February when he made the claim that Windows Vista is more secure than OS X 10.4.8. His rationale involves advanced security features in Vista, including ASLR (Address Space Layout Randomization) and protection against heap overflow exploitation, both of which OS X lacks. Maynor isn’t the only one to praise Vista over OS X. Matasano’s Tom Ptacek also has commented on the lack of advanced security features in OS X.
None of the researchers are giving their findings to Apple, which has poisonous relations with security researchers. Maynor’s disclosure policy sums up the status quo:
“[Our disclosure] policy is … pretty simple, in most cases we will give vendors as long as they need to fix problems. If the vendor is unresponsive or make threats, we will give them 30 days then release details. If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pen testing. We do not sell the vulnerabilities to any 3rd party.”