Newest Safari browsers find themselves shooting gallery targets

Apple could soon find itself the #5 PC producer in the US. Part of the cost of success is prolonged exposure to a more intense spotlight, and when more people are looking at your close-ups, they tend to notice your wrinkles.

It's unusual for Apple to be the one fighting a two-front battle for browser security. But today it's the one that feels like it's being pummeled with tomatoes normally reserved for Microsoft. Yesterday, the latest Safari running on a MacBook Air actually went down first in a public contest for security engineers, just days after an Argentine researcher discovered that a very old JavaScript page spoofing routine could direct Safari for Windows to just about any address.

The "PWN to OWN" contest took place at the CanSecWest security conference in Vancouver, and awarded a $10,000 cash prize plus the compromised MacBook Air to noted researcher Charlie Miller, the fellow who last July discovered one of the first security holes in the Apple iPhone. After reportedly having developed the code for the exploit over the past several weeks, Miller and his two Independent Security Evaluators colleagues were able to compromise a MacBook Air running Mac OS X 10.5.2, before anyone else in the room could take down the machines they'd chosen, including machines with other OSes.

But perhaps for the better, we don't know the details of Miller's exploit just yet. As a condition of entering the contest, the exploit became the intellectual property of the principal sponsors, TippingPoint, which states this morning it immediately turned over news of the exploit to Apple. The security company's stated policy is not to make those details public until the manufacturer has given its consent.

Windows users may hope Safari doesn't share as much binary code between versions as it does licensing restrictions. In any event, last week's discovery that the latest version for Windows was susceptible to a simple page frame spoof may not be considered a "system compromise," though security firm Secunia saw fit to catalog it as "highly critical."

The code for this JavaScript-based exploit was made public, though there's not much surprising or innovative about it: It's the same kind of page spoofing problem that plagued Microsoft Internet Explorer over three years ago. Essentially it enables the creation of a browser frame that says its contents come from a URL but in fact derive from a separate JavaScript element that runs unchecked.

As Neophasis' Juan Pablo Lopez Yacubian writes, "What makes the proof of concept is simply open a window with the site and we want to forge another function overwrites the content of the page so that we can insertarle [sic] from a frame to a fake login what is happening to us."

Secunia also noted -- somewhat more legibly -- that Yacubian also discovered that triggering Safari for Windows to download a .ZIP file with an overly long filename can trigger a buffer overflow.

35 Responses to Newest Safari browsers find themselves shooting gallery targets

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.