Apple Safari On Windows Broken On First Day

An anonymous reader writes "David Maynor, infamous for the Apple Wi-Fi hack, has discovered bugs in the Windows version of Safari mere hours after it was released. He notes in the blog that his company does not report vulnerabilities to Apple. His claimed catch for 'an afternoon of idle futzing': 4 DoS bugs and 2 remote execution vulnerabilities." Separately, within 2 hours Thor Larholm found a URL protocol handler command injection vulnerability that allows remote command execution.

Re:He notes in the blog that his company does not

Yeah -- what the hell.

I can understand not sitting on a vulnerability -- there are some valid points both for and against full disclosure -- but not notifying the company at all? WTF.

This is the sort of stuff that just makes the whole IT security industry, and everyone involved in it, look dangerous and irresponsible.

telling Apple would be insane

These things are worth a lot. Spammers, governments, mobsters... all will pay. You even get your choice of payment method:

*euros
*credit card numbers
*yuan
*underage virgins
*dollars
*shekels
*death to your enemies
*rubles
*pounds, British money
*pounds, crack cocaine

Just be sure to not rip off the buyer. Most of the buyers have nasty ways to kill you. Some of them have polonium. Some of them have penis pills.

Re:He notes in the blog that his company does not

Citing the blog:


UPDATE 5: I've been asked what our disclosure policy is. Its pretty simple, in most cases we will give vendors as long as they need to fix problems. If the vendor is unresponsive or make threats, we will give them 30 days then release details. If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pentesting. We do not sell the vulnerabilities to any 3rd party.

Seems the very likely scenario that they reported a critical vulnerablity and Apple tried to troubleshoot them "Is the network cable plugged in?" or "Our software is absolutely secure, your don't need to worry about it, our software has been throughoutly tested." or such. A security expert who gets flushed down the toilet by a marketoid is quite likely to hold a grudge against given company and report the following bugs elsewhere than said company.

Re:He notes in the blog that his company does not

Ah yes, giving away FREE software and expecting people to use it for FREE. In turn for that FREE use, if someone finds a bug it's absolutely ludicrous to expect them to report it.

Of course it is. There is no way I'd expect my mother to report a bug. However what isn't ridiculous is expecting someone who deliberately seeks out a bug, has the ability to reproduce it, and has blogged about it and also calls themselves a security analyst, to actually report the bug. Heck, only a link to his blog post would probably be helpful to Apple. That takes very little effort on his part, so its not unreasonable to expect it.

Re:He notes in the blog that his company does not

Offtopic here, but that's generally a really severe pressure that game developers get from their publishers, unfortunately. It's particularly severe there; it is not as if you have 'Electronic Wordprocessor Monthly' grading the latest import productivity apps, and raising the hype on them all.

("Capcom ExpenseBlaster 3 Turbo gets an 8/10 for the blazing next-generation way it lets me balance my checkbook!" "I'm sorry, but this one felt lacking to me. It was anemic in terms of features, especially compared to other contenders like Rockstar's 'Grand Theft Accounting,' and the money-laundering options. Only a 4/10.")

That doesn't stop people from proclaiming doom and gloom and trying to point out alternative software if non-game products slip, of course. Which means more than game developers get the market pressure to just 'get a 1.0 app out there, and patch it later,' albeit a bit less than game developers do. Which sucks, but... the cause of this one unfortunately lies with both the developers and consumers, I think.

Re:He notes in the blog that his company does not

'Ah yes, giving away FREE software and expecting people to use it for FREE.'

Apple is a commercial entity. As long as Apple is still making a profit nothing you get from Apple is free, it may not be the guy browsing but someone is footing the bill. You can certainly bet that Apple didn't just drop their bottom line by the cost of developing and distributing the software.

It reminds me of the last time I called Comcast. I ordered Showtime for the Showtime on demand movies and while the channels came in the video on demand gave an error code (very annoying since I never waste my time watching whatever they are force feeding at the moment and watch what I want when I want with the video on demand). It took them 3 months to fix it and they had the nerve to charge me for Showtime during that time. Naturally I demanded a credit and the girl tried to claim that I was paying for the channels only and the video on demand was a free service they gave me out of the kindness of their hearts so there was nothing to credit. I told her that was wonderful, take away all that expensive programming I pay all that money for and just leave me the free stuff. She told me that it only comes free with the paid programming. I told her to make up her mind, either they are giving me the video on demand for free or they require me to pay them money in order to receive it.

Re:He notes in the blog that his company does not

Before people start jumping on you (oh, too late) they should look at any of Apple's security updates. Apple routinely credits the people who report vulnerabilities. The majority of "bugs" in security updates are patches to third party stuff from the OSS community, and Apple finds stuff internally, but if you report a vulnerability and Apple patches it they credit you.

for example, in Security Update 2007-5 [apple.com]

mDNSResponder

CVE-ID: CVE-2007-2386

Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9

A remote attacker may be able to cause a denial of service or arbitrary code execution

Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, a remote attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets. This issue does not affect systems prior to Mac OS X v10.4. Credit to Michael Lynn of Juniper Networks for reporting this issue.

and

VPN

CVE-ID: CVE-2007-0753

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: A local user may obtain system privileges

Description: A format string vulnerability exists in vpnd. By running the vpnd command with maliciously crafted arguments, a local user can trigger the vulnerability which may lead to arbitrary code execution with system privileges. This update addresses the issue by performing additional validation of the arguments passed to vpnd. Credit to Chris Anley of NGSSoftware for reporting this issue.

So shut up and read up before making up claims about how Apple hates security researchers.

Re:He notes in the blog that his company does not

I wondered who'd be the first to launch an ad hominem attack - and look, right in the first comment.

How about we try it this way:

Maynor claims to be a professional security researcher. One of the cornerstones of professionalism in that field is responsible disclosure of discovered vulnerabilities. Another is full disclosure of vulnerability details after a vendor has had a reasonable amount of time to correct the vulnerability. Yet another is working to advance the overall state of computer security. But Maynor has a track record of irresponsible, partial-at-best disclosure: he claims discovery of vulnerabilities while proclaiming that he will not report them to the vendor, and strives to hide the details of his discoveries from open review by his peers in the security community (for example, witness the endless controversy over the alleged MacBook wifi hack, all of which could have been settled quickly and objectively by simple peer review of the exploit he claimed to have used). And none of this can, so far as I can see, be construed as advancing the state of computer security in any fashion.

In other words, there is no sense of the word "professionalism" for his field which seems to be reasonably applicable to Maynor. Before you go screaming "ad hominem" or "Apple Fanboi", take note of two things:

1. All I've criticized here are the man's methods, not the man himself. I don't even speculate to his motives for operating the way he does.
2. I'm typing this on a MacBook Pro, and I do like both it and the operating system it runs, but neither are particularly essential to me -- at this point I can move between (Unix-y) operating systems with relative ease, and occasionally do as needed (prior to this MacBook, I used various forms of Linux exclusively for about six years, and still use them on a regular basis. The only OS I have a prejudice against is Windows, and I've even got that available, virtualized, when I need to test things in it).

I await your reply.

Re:He notes in the blog that his company does not

No better day to blow the whistle then the same day it's released. Much smaller chance of a user base being affected by it.

Re:He notes in the blog that his company does not

Ah, I see. So this is a religious thing. I wont bother arguing then.

Re:He notes in the blog that his company does not

I'll bite. Maynor described vulnerabilites. Maynor immeadately goes public with Mac vulnerabilites because he (in the past anyway) has claimed that Apple has ignored private disclosures. I've has exactly the same experience (many years ago) so I can support him on this point

Looking at changelists for bugfix releases of Mac OS X, Apple regularly fixes non-public vulnerabilities and credits the people who found them. They do downplay these issues, and some managers from Apple have publicly lied about vulnerabilities in the past, but they do fix them pretty quickly and give proper credit.

For all we know, Maynors own account of his issues with Apple bear little resemblance to what really happened.

Re:He notes in the blog that his company does not

Maynor might be a liar or confused about the vulnerabilites. This dos not seem to be the case based on my reading, and nobody seems to be saying that the vulnerabilites he found did not exist.

The issue seems be the notion that it is somhow "wrong" for Maynor to disclose the vulnerabilites without informing Apple and giving them time to fix it. Maynor claims that IN THE PAST Apple has been uncooperative WITH HIM. So based on his OWN PAST EXPERIENCE he chose to release the vulnerabities publically. He did nothing wrong.

Frankly, I'd be a little pissed off. Maynor is doing valuable free work for Apple and he's getting pissed on by the Apple community for it.

Re:shooting the messenger is now + 5 insightful?

They release a beta of a free product, the engine of which (and almost certainly where these bugs are located) is open source, and this "security researcher" finds a bug and refuses to report it. Deep throat he's not.

Re:shooting the messenger is now + 5 insightful?

or you sincerely believe most folks that install stuff know what they are doing?

That is the responsibility they undertake, yes. They may or may not understand all the ins and outs, but it's their responsibility.

so then it is better that people don't know what's in for them when installing it, right?

Based on the blog posting, they STILL don't know what's "in for them," since the vulnerabilities are still undisclosed. They remain in Maynor's to do list, for sale to the highest bidder for all we know.

If you're a linux or MS supporter, don't waste your breath defending this guy. He wasted a year of everybody's time on that Airport vulnerability that didn't exist.

Re:shooting the messenger is now + 5 insightful?

Or how about everyone stop treating their choice of operating system as a religion? Hmm?

Re:shooting the messenger is now + 5 insightful?

I didn't say he shouldn't report that there's a bug, I said that he should report the bug to Apple. The beta agreement probably requires that he do that, actually.

And if you're installing a beta then yes, you really should be aware that you're in for some bugs. It's very unfortunate that Google has diluted the meaning of "beta" so much.

Also note that he's not really failing to report a bug to Apple, he's failing to report it to the webkit/khtml open source project. I doubt very much the bugs are in Apple's closed source GUI front end to webkit.

Re:shooting the messenger is now + 5 insightful?

No. But put it this way...

Let's say there's something built atop an open source library. Hey, there's plenty of them out there... let's pick OpenSSL as an example. It's open source and it's used in other projects, some of which are commercial or proprietary systems. Now assume that some company makes a proprietary, closed product built on that project as the core, but continue to contribute changes -- a heck of a lot of changes -- back to the original project as the develop. And then they release this as a beta.

Finally, let's say that someone finds a vulnerability in the proprietary project, a security issue with implications for the open source project. And instead of reporting the vulnerability to the proprietary folks (who would probably promptly generate a patch for both their tool and the underlying library, the person refuses to report the vulnerability to anyone and just says 'I found vulnerabilities, but I'm not telling you what they are.'

That's basically how WebKit/KHTML and Safari are tied together. Safari's just a UI atop an open source framework, WebKit, which Apple is the primary contributor to but which other people also contribute to, and which other projects (besides Safari and OS X) use. WebKit is used on Symbian OS, on Linux, and various other operating systems. And this guy is claiming to have found vulnerabilities which, given where they occur, seem to have implications for WebKit as well as Safari... and is refusing to give the details to either Apple, or to the WebKit development community.

You don't have to be an Apple 'fanboi' (or fangirl) to see that's not the way to handle security disclosures. If someone found several bugs in Firefox and said 'ZOMG I can crash Firefox or anything which uses the Gecko HTML engine. I can do it 100% of the time. But I'm not going to report the details to the Firefox team, so, nyah!' people would be up in arms about it.

Professional, good security researchers report things to the responsible parties, giving them the details necessary to fix it. Going, "Ha ha, I found a way to break your stuff but I'm not going to tell you how" is not only unprofessional, it's just downright immature.

Sure, lambaste Apple for releasing a beta/preview of something with bugs if you feel you must. But, please, don't bother trying to defend someone who basically makes a mockery of the entire security field.

Re:shooting the messenger is now + 5 insightful?

not to be mean but
  It's a friggin BETA!!!!!

it's supposed to have bugs in it.

besides it's not like IE where the bugs are in the shipping version and part of it's core design.

Re:shooting the messenger is now + 5 insightful?

You don't have to be an Apple 'fanboi' (or fangirl)

"Fangrrl", please!

Re:shooting the messenger is now + 5 insightful?

It's very unfortunate that Google has diluted the meaning of "beta" so much.
It's very unfortunate that the rest of the industry (especially MS) has diluted the meaning of "gone gold" so much. Gold is the new beta; beta is the new alpha.

Re:shooting the messenger is now + 5 insightful?

And "no longer supported" is the new gold.

Re:shooting the messenger is now + 5 insightful?

I think the company you're looking for is Mirabilus. Mirabilus diluted the meaning of Beta. Thanks for playing.

Re:shooting the messenger is now + 5 insightful?

I doubt URL handling is part of the KHTML/KJS renderer; responsibility for acquiring content in Konqueror is done in KIO, so Apple would have had to implement their own content acquisition scheme.

It is possible that the stack failure is in (KHTML/KJS)/WebKit - but as it's not been shown that these bugs apply to either Konqueror or Mac Safari, it's most unlikely that the stack failures are the result of the open portion of the code.

Anyway, as a news story, this is a null set; it's a public beta. It's there for the public to test it and report bugs. It's not a production browser.

I'd be curious, however, to see if these bugs are Windows-only (for example, Mac OS-X and KDE have a URL handling scheme built into the OS that wouldn't be available in Windows; it would need to be implemented as part of Win Safari), or if they apply equally to Windows and Mac.

Re:shooting the messenger is now + 5 insightful?

It's not present on Mac Safari, though the demo page does crash the Safari 3 Beta.

The main thing is how the URL handling works, under Windows Safari passes the URL to the Windows URL handler, which just finds the application and then dumps the rest on the command line, which gives many remote execution issues. Under MacOS the MacOS URL handler finds the application, and then dispatches an OpenURL AppleEvent (I think, similar to that anyway) towards the application, which then has the responsibility of parsing and loading the URL.

I'm guessing that the engineers didn't look too hard at how the OS deals with URLs and just assumed it would be safe.

Re:shooting the messenger is now + 5 insightful?

Offtopic:

I, like a lot of other web developers out there, wanted Safari for the purpose of adapting web pages to Yet Another Popular Browser's bugs.

So, what did I find when I downloaded Safari? The ridiculously useful debug menu was gone!

Now, all the docs on how to enable it are for Safari on the Mac, understandbly. What to do?

Kill Safari

Open C:\documents and Settings\[You]\Application Data\Apple Computer\Safari\Preferences.plist

Add, in what appears to be the logical place: IncludeDebugMenu1

Load Safari. Now developer-useful things like the Javascript Console are available to you.

Re:shooting the messenger is now + 5 insightful?

Slashdot stripped my XML. The line to add is, <key>IncludeDebugMenu</key><string>1</string>

Re:shooting the messenger is now + 5 insightful?

remember to include some errrors, so you can post a correction and get some more positive moderation for the second comment

So when are you coming back for your second dose of moderation? Or do I get to steal them because I beat you to it? Informative surely *fingers crossed* :-)

Re:He notes in the blog that his company does not

Truth is, if the guy had reported the bugs/vulnerabilities to Apple, they more than likely would have done what they always do, wait months to push a fix out or just deny their existence altogether.

Did you read the disclosure policy?

Keeping with our disclosure policy, we do not report bugs to Apple.

It doesn't say

Keeping with our disclosure policy, we do not wait for a response to the bugs we report.

If it said that, your comment would make sense. That would be something like ... "We don't think Apple will fix it, so we won't wait before announcing it". I could see that (though not agree with it). But "We don't think Apple will fix it, so we won't even TELL them about it" is totally irresponsible. The only "rational" interpretation of that is he actively wants to make it harder to improve the security of Safari.

Do you have a better explanation, or a justification for that approach?

Re:He notes in the blog that his company does not

If it said that, your comment would make sense. That would be something like ... "We don't think Apple will fix it, so we won't wait before announcing it". I could see that (though not agree with it). But "We don't think Apple will fix it, so we won't even TELL them about it" is totally irresponsible. The only "rational" interpretation of that is he actively wants to make it harder to improve the security of Safari.

Do you have a better explanation, or a justification for that approach?

[note: I'm not the 'you' referred to in the parent]
Why would someone announce that he's found a vulnerability but refuse to disclose it to the vendor? Some ideas:
a) He wants to hurt the reputation of the product/vendor. (This doesn't even require the existence of a real vulnerability.)
b) He wants to sell the specifics vulnerability, either to the vendor or to the highest bidder (in which case, this is advertising).
c) He doesn't care about the security side of things, he's just earning himself some free PR on sites like this which will publish his unsupported claims uncritically.
d) This is his idea of fun.

Anything I've missed?

Maybe that's because...

... it's a beta version.

Re:Maybe that's because...

What makes me scratch my head... if these guys can find holes in a few hours, why can't Apple?

Because 100,000k security researchers and hackers all typing away at keyboards will eventually write Shakespeare?

I don't care how bright your engineers are or how well you've planned your security model, the moment you put it on the 'net it WILL be hacked. That doesn't mean it will stay hacked, so much as the task of securing a system against simulated internal attacks will uncover different problems than putting it in the wild.

Re:Maybe that's because...

"if these guys can find holes in a few hours, why can't Apple?"

David Maynor has a track record as a publicity whore first and legitimate security researcher second, so whether Maynor has actually found as many bugs as he claims to have found here is up for debate until he provides some more substantial proof. He also has a giant ax to grind after Apple embarrassed him in the AirPort bug fiasco. I'd take anything he says with a grain of salt until he gives me ample reason to trust him again.

Nice policy, by the way: find bugs and don't ever report them to Apple. Because last time you claimed to have reported a bug, Apple exposed you as a liar, so now you just don't bother. That's brilliant. We need more people in the world with that kind of attitude. And Maynor wonders why people don't take him seriously as a "security researcher". The Blogspot-based announcement doesn't help either. That's like your company e-mail address being @hotmail.com.

Thor Larholm, on the other hand, may well have found a legitimate bug. What with this being beta software and all, that's not too incredibly surprising. Equally serious bugs have been found in release versions of Firefox and IE, so I'm not sure what the big deal is here. If Safari 3 ships with these vulnerabilities still unfixed, then people should worry.

p

Re:Maybe that's because...

But it just seems to me that they need a "devious little shit" department

Apple have plenty of lawyers already.

Re:Maybe that's because...

If the "known attack vector" is actually a bug in the Microsoft Windows JPEG handling API, will you still be crowing about Safari 3 for MS Windows being broken? Go have a look at the number of problems that exist for previous versions of Microsoft Windows XP, in particular relating to graphic formats of some kind or another.

Besides, from the screenshot of the crash reporter, it's a null pointer dereference (not a heap overflow) - so sure, it's a remotely exploitable denial of service attack, but the browser crashes because the software has detected a problem and decides that the safest way out is to dump core. Let's all go tell the world how broken Safari 3 for MS Windows is!

For example: