RSSNewest Safari browsers find themselves shooting gallery targets
By Scott M. Fulton, III | Published March 28, 2008, 12:10 PM
Apple could soon find itself the #5 PC producer in the US. Part of the cost of success is prolonged exposure to a more intense spotlight, and when more people are looking at your close-ups, they tend to notice your wrinkles.
It's unusual for Apple to be the one fighting a two-front battle for browser security. But today it's the one that feels like it's being pummeled with tomatoes normally reserved for Microsoft. Yesterday, the latest Safari running on a MacBook Air actually went down first in a public contest for security engineers, just days after an Argentine researcher discovered that a very old JavaScript page spoofing routine could direct Safari for Windows to just about any address.
The "PWN to OWN" contest took place at the CanSecWest security conference in Vancouver, and awarded a $10,000 cash prize plus the compromised MacBook Air to noted researcher Charlie Miller, the fellow who last July discovered one of the first security holes in the Apple iPhone. After reportedly having developed the code for the exploit over the past several weeks, Miller and his two Independent Security Evaluators colleagues were able to compromise a MacBook Air running Mac OS X 10.5.2, before anyone else in the room could take down the machines they'd chosen, including machines with other OSes.
But perhaps for the better, we don't know the details of Miller's exploit just yet. As a condition of entering the contest, the exploit became the intellectual property of the principal sponsors, TippingPoint, which states this morning it immediately turned over news of the exploit to Apple. The security company's stated policy is not to make those details public until the manufacturer has given its consent.
Windows users may hope Safari doesn't share as much binary code between versions as it does licensing restrictions. In any event, last week's discovery that the latest version for Windows was susceptible to a simple page frame spoof may not be considered a "system compromise," though security firm Secunia saw fit to catalog it as "highly critical."
The code for this JavaScript-based exploit was made public, though there's not much surprising or innovative about it: It's the same kind of page spoofing problem that plagued Microsoft Internet Explorer over three years ago. Essentially it enables the creation of a browser frame that says its contents come from a URL but in fact derive from a separate JavaScript element that runs unchecked.
As Neophasis' Juan Pablo Lopez Yacubian writes, "What makes the proof of concept is simply open a window with the site and we want to forge another function overwrites the content of the page so that we can insertarle [sic] from a frame to a fake login what is happening to us."
Secunia also noted -- somewhat more legibly -- that Yacubian also discovered that triggering Safari for Windows to download a .ZIP file with an overly long filename can trigger a buffer overflow.
How very classless and unprofessional to go out of the way twice to ridicule Yacubian's English fluency.
Score: 0
What do you mean - the use of (sic) by the misspelled word? Standard editing, due.
Score: 0
Always leave to Betanews to find a way to take an direct or indirect shot at MS.
Score: 0
All browsers should include noscript/IE locked down mode like functionality out of the box.
javascript is too unwieldy.
Score: 0
Noscript for firefox is excellent. Use it all the time and its an inconvenience im happy to live with enabling it for the sites I visit. It is very effective is removing tracking and ads, and agree it would be beneficial to everyone but doubt they would be willing to do the level of tweeking necessary for it to be effective.
Score: 0
I refuse to browse without it. And now that ad networks are compromised, anybody browsing with ads displaying is asking for malware.
Sorry commercialism, I'm not buying your crap until you secure your nets.
Score: 0
Same ... Just this site alone has atdmt.com, doubleclick.net, googleservices.com, googlesyndication.com, googleadservices.com and google-analytics scripts disabled.
Its nice to know who's scripts your running when browsing.
Score: 0
atdmt.com, doubleclick.net, aren't even seen by noscript, because adblock got to them first. :)
Score: 0
just a bit more to gchenrys post, Microsoft also have a significant amount of shares in Apple ;)
Score: 0
I believe they sold most of those back if you are referring to the bailout over a decade ago.
Score: 0
1. If you want to look at Safari 3.1 download Safari 3.1. There is no need to download the entire site.
2. Probably immaterial but MS was a sponsor of the event and apple was not.
3. The event was designed to test the hack-ability of machines not 3d party
application vulnerabilities. (Think Java)
Secunia resuls so far this year..
Firefox 2.0.xx 22 with 4 not fixed
Safari 3.1 1 with one unfixed
IE 7.xx 23 with 8 unfixed.
Most would consider this a Java exploit and not
a Safari exploit. I tried Safari and would rate
it comparable and maybe better then the other
apps listed.
Score: 0
Thanks for the heads up Gchenry, certainly puts a different perspective on the issue.
Much appreciated, 'though I only use Safari on my Apple.
Score: 0
I'm sticking with FireFox. Especially after Apple tried to sneak Safari on my computer. I almost did an update but saw safari and was a little disappointed. I don't have iTunes either.
Score: 0
It'll get better for Safari on Windohs. Apple's got one hell of a job dealing with all of the problems that come with having a browser on Windohs. Eventually Safari will be the most secure browser on Windohs. ?
Score: 0
I have own a Mak for over 8 years now and as soon as Opera and Firefox became available, I drop Safaree as when I go number 2 and never looked back.
Score: 0
You should feel proud of yourself. You're the exclusive owner of a "Mak".
Score: 0
Heh...
One has to question if he actually has a Mac or not after that one.
Score: 0
A Mak running Safaree... Sounds like a knock-off from China to me. It's amazing what those guys can clone these days.
Score: 0
They're porting a program from one to another, one they are not entirely familiar with.
Things such as the 3 yr-old IE exploit will pop up. It's to be expected. As the app matures for the win32 platform (or better yet, the x64?) it will improve, just like every other peice of software out there.
So far, Safari4Win actually seems pretty decent. I'm still using Firefox, but it will be interesting to see what 4.0 looks like once they've nailed down the bigger issues.
..hopefully they'll switch to the windows font anti-aliasing. (A guy can dream, can't he?)
Ars TechnicaSafari 3.1 for Windows continues to use the Mac OS X font anti-aliasing approach rather than the native font anti-aliasing system in Windows (ClearType). The result is text that is often fuzzy, particularly smaller text. Sometimes small text looks bold when it isn't.
Score: 0
The article says the exploit was for Safari running on a Mac...
Score: 0
They describe, and even link to this advisory:
http://secunia.com/advisories/29483/
Funny how it specifically states on the page "Safari for Windows 3.x".
I'm guessing you're mistaken...or you didn't bother to read the whole story.
Score: 0
They have added GDI rendering in the latest WebKit nightly.
Score: 0
Good to hear.
Hope it stays in there for the next "public" release.
Score: 0
The new exploit was on a Mac. The Safari for Windows exploit is a separate issue, regarding the Java issues, that it says was discovered several days ago...
quote:
Yesterday, the latest Safari running on a MacBook Air actually went down first in a public contest for security engineers, just days after an Argentine researcher discovered that a very old JavaScript page spoofing routine could direct Safari for Windows to just about any address.
Score: 0
FTFA:
In any event, last week's discovery that the latest version was susceptible to a simple page frame spoof may not be considered a "system compromise," though security firm Secunia saw fit to catalog it as "highly critical."
The words "highly critical" are a link to the above advisory I posted a direct link to.
The advisory was released the 24th of this month.
Man, you guys are on fire today. ;)
Score: 0
I went to the conference here in Vancouver. It was Safari for the Mac.
Edit - nevermind I see where you're going with this. Lunch time...
Score: 0
God, Microsoft's turd coding infects everyone, and yet toolie blames it on the Apple folks. Way to go, toolie!
OWWWWWWWWWWWWWWWWWWWWW
The STUPID!!!!!! IT BURNS!!!!!! Ignore the troll. Remember, he has no life.
Score: 0
Yep, they have left the cat portal open at Redmond, yet again.
This is not the real Toolie, it's his cat. Gave himself up a couple of posts ago.
There is no way the real Toolie would ever admint it using a non MSFT product.
Score: 0
Is that really a picture of PC_Tool at your blog?
Score: 0
No, its actually a picture of zridling.
Score: 0
"Remember, i have no life"
fixed that for ya
Score: 0
:p
Food always helps. :) Hope it was tasty.
Score: 0
From the website posted above:
PS: For all who don't know me, I'm Zaine Ridling, who:
— is not a programmer (I wish, but I don't have the brain for it);
— is a lazy, fat **** — I make no excuses there;
— is unemployed (see previous point);
— is poor and lives in a basement (see previous two points);
— is a proud atheist and liberal;
— loves the Free/Libre Open Source software (FLOSS) model.
Yeah, a real Hero. Zaine, get a life.
Score: 0
Zaine, really....
Replying to your own comments now?
Score: 0
Java != Javascript. I see no mention that any of these exploits are from java. Javascript is built into browsers so if there is a javascript exploit its the browser and nothing else.
Score: 0
*ding*
Score: 0