Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Blogs
    • Security Watch

    Day One Becomes 0-Day for Safari for Windows Beta

    By
    Lisa Vaas
    -
    June 12, 2007
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Apple’s Safari browser for Windows beta, introduced on June 11 at the Apple Worldwide Developers Conference and touted as being “designed … to be secure from day one,” has a minimum of three DoS (denial of service) flaws, two memory corruption bugs, one command execution vulnerability and two remote code execution bugs—one of which has already been weaponized by security researcher Dave Maynor.

      Security researchers were finding bugs within two hours of downloading and installing the beta.

      “These are popping out like hotcakes,” said Maynor on the Errata blog yesterday.

      Six of the bugs were found by Maynor, CTO and founder of Errata Security. Aviv Raff also found a memory corruption flaw, while Thor Larholm found a command execution vulnerability.

      “I downloaded and installed Safari for Windows 2 hours ago, when I started writing this, and I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a Web site,” Larholm said in his blog.

      Larholm said that the logic behind the code execution flaw, a protocol handler command injection, is “quite simple” and has been known and understood for years.

      The vulnerability arose, Larholm said, because Apple neglected to implement a proper level of input validation for specific command line arguments that execute with URL protocol handlers. A typical request for a URL such as myprotocol://someserver.com/someargument can thus be turned into a command line that accepts arbitrary characters that can later be executed.

      The resulting command line can’t be executed, as it’s invalid, he said. But Safari doesn’t properly validate the input when those same requests are handled through IFrame elements

      This cannot be used to exploit Safari as the command line to be executed is simply invalid. However, Safari does not properly validate the input when these same requests are handled through IFRAME elements. According to Larholm, that will give an attacker everything he or she needs to go after “the entire range of available URL protocol handlers on the Windows platform.” That would include telnet or callto protocols, through which an attacker could pass, unfiltered, any commands.

      Larholm has posted PoC (proof of concept code) that attempts an exploit against the gopher:URL protocol handled in Firefox. The PoC exploits Safari by passing through Firefox via the Gopher protocol, launching a command line with any code that’s been passed by the attacker in a call to the process.run method.

      Larholm noted that he used Firefox and the Gopher URL protocol because he’s familiar with them but that the vulnerability has to do with lack of input validation for command line arguments handed to URL protocol handlers.

      “As such, there are a lot of different attack vectors for this vulnerability,” he said.

      Many are raising the point that these bugs were found in a beta—hardly surprising. Maynor, however, points out that his six bugs also work on the production copy of OSX, which lacks “any kind of advanced security features.”

      Indeed, Maynor slapped around the Apple fan base back in February when he made the claim that Windows Vista is more secure than OS X 10.4.8. His rationale involves advanced security features in Vista, including ASLR (Address Space Layout Randomization) and protection against heap overflow exploitation, both of which OS X lacks. Maynor isn’t the only one to praise Vista over OS X. Matasano’s Tom Ptacek also has commented on the lack of advanced security features in OS X.

      None of the researchers are giving their findings to Apple, which has poisonous relations with security researchers. Maynor’s disclosure policy sums up the status quo:

      “[Our disclosure] policy is … pretty simple, in most cases we will give vendors as long as they need to fix problems. If the vendor is unresponsive or make threats, we will give them 30 days then release details. If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pen testing. We do not sell the vulnerabilities to any 3rd party.”

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×