Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Newest Safari browsers find themselves shooting gallery targets

By Scott M. Fulton, III, BetaNews

March 28, 2008, 12:10 PM

Apple could soon find itself the #5 PC producer in the US. Part of the cost of success is prolonged exposure to a more intense spotlight, and when more people are looking at your close-ups, they tend to notice your wrinkles.

It's unusual for Apple to be the one fighting a two-front battle for browser security. But today it's the one that feels like it's being pummeled with tomatoes normally reserved for Microsoft. Yesterday, the latest Safari running on a MacBook Air actually went down first in a public contest for security engineers, just days after an Argentine researcher discovered that a very old JavaScript page spoofing routine could direct Safari for Windows to just about any address.

The "PWN to OWN" contest took place at the CanSecWest security conference in Vancouver, and awarded a $10,000 cash prize plus the compromised MacBook Air to noted researcher Charlie Miller, the fellow who last July discovered one of the first security holes in the Apple iPhone. After reportedly having developed the code for the exploit over the past several weeks, Miller and his two Independent Security Evaluators colleagues were able to compromise a MacBook Air running Mac OS X 10.5.2, before anyone else in the room could take down the machines they'd chosen, including machines with other OSes.

But perhaps for the better, we don't know the details of Miller's exploit just yet. As a condition of entering the contest, the exploit became the intellectual property of the principal sponsors, TippingPoint, which states this morning it immediately turned over news of the exploit to Apple. The security company's stated policy is not to make those details public until the manufacturer has given its consent.

Windows users may hope Safari doesn't share as much binary code between versions as it does licensing restrictions. In any event, last week's discovery that the latest version for Windows was susceptible to a simple page frame spoof may not be considered a "system compromise," though security firm Secunia saw fit to catalog it as "highly critical."

The code for this JavaScript-based exploit was made public, though there's not much surprising or innovative about it: It's the same kind of page spoofing problem that plagued Microsoft Internet Explorer over three years ago. Essentially it enables the creation of a browser frame that says its contents come from a URL but in fact derive from a separate JavaScript element that runs unchecked.

As Neophasis' Juan Pablo Lopez Yacubian writes, "What makes the proof of concept is simply open a window with the site and we want to forge another function overwrites the content of the page so that we can insertarle [sic] from a frame to a fake login what is happening to us."

Secunia also noted -- somewhat more legibly -- that Yacubian also discovered that triggering Safari for Windows to download a .ZIP file with an overly long filename can trigger a buffer overflow.

Add a Comment (36 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Lucent

posted Mar 31, 2008 - 12:46 PM

How very classless and unprofessional to go out of the way twice to ridicule Yacubian's English fluency.

Score: 0

By mj132

posted Apr 1, 2008 - 2:55 AM

What do you mean - the use of (sic) by the misspelled word? Standard editing, due.

Score: 0

By tscar13

posted Mar 29, 2008 - 9:19 PM

Always leave to Betanews to find a way to take an direct or indirect shot at MS.

Score: 0

By mjm01010101

posted Mar 29, 2008 - 12:36 PM

All browsers should include noscript/IE locked down mode like functionality out of the box.

javascript is too unwieldy.

Score: 0

By Galway

posted Mar 29, 2008 - 7:15 PM

Noscript for firefox is excellent. Use it all the time and its an inconvenience im happy to live with enabling it for the sites I visit. It is very effective is removing tracking and ads, and agree it would be beneficial to everyone but doubt they would be willing to do the level of tweeking necessary for it to be effective.

Score: 0

By mjm01010101

posted Mar 29, 2008 - 10:34 PM

I refuse to browse without it. And now that ad networks are compromised, anybody browsing with ads displaying is asking for malware.

Sorry commercialism, I'm not buying your crap until you secure your nets.

Score: 0

By Galway

posted Mar 30, 2008 - 6:53 PM

Same ... Just this site alone has atdmt.com, doubleclick.net, googleservices.com, googlesyndication.com, googleadservices.com and google-analytics scripts disabled.

Its nice to know who's scripts your running when browsing.

Score: 0

By mjm01010101

posted Mar 31, 2008 - 12:29 PM

atdmt.com, doubleclick.net, aren't even seen by noscript, because adblock got to them first. :)

Score: 0

By madmike

posted Mar 29, 2008 - 8:29 AM

just a bit more to gchenrys post, Microsoft also have a significant amount of shares in Apple ;)

Score: 0

By PC_Tool

posted Mar 29, 2008 - 6:33 PM

I believe they sold most of those back if you are referring to the bailout over a decade ago.

Score: 0

By gchenry

posted Mar 29, 2008 - 6:53 AM

1. If you want to look at Safari 3.1 download Safari 3.1. There is no need to download the entire site.

2. Probably immaterial but MS was a sponsor of the event and apple was not.

3. The event was designed to test the hack-ability of machines not 3d party
application vulnerabilities. (Think Java)

Secunia resuls so far this year..
Firefox 2.0.xx 22 with 4 not fixed
Safari 3.1 1 with one unfixed
IE 7.xx 23 with 8 unfixed.

Most would consider this a Java exploit and not
a Safari exploit. I tried Safari and would rate
it comparable and maybe better then the other
apps listed.

Score: 0

By marrix

posted Mar 29, 2008 - 9:26 AM

Thanks for the heads up Gchenry, certainly puts a different perspective on the issue.
Much appreciated, 'though I only use Safari on my Apple.

Score: 0

By Wynner3

posted Mar 29, 2008 - 3:06 AM

I'm sticking with FireFox. Especially after Apple tried to sneak Safari on my computer. I almost did an update but saw safari and was a little disappointed. I don't have iTunes either.

Score: 0

By internetworld7

posted Mar 28, 2008 - 10:41 PM

It'll get better for Safari on Windohs. Apple's got one hell of a job dealing with all of the problems that come with having a browser on Windohs. Eventually Safari will be the most secure browser on Windohs. ?

Score: 0

By tiburoncito_2000

posted Mar 29, 2008 - 2:16 AM

I have own a Mak for over 8 years now and as soon as Opera and Firefox became available, I drop Safaree as when I go number 2 and never looked back.

Score: 0

By templar™

posted Mar 30, 2008 - 9:31 PM

A Mak running Safaree... Sounds like a knock-off from China to me. It's amazing what those guys can clone these days.

Score: 0

By internetworld7

posted Mar 29, 2008 - 10:46 PM

You should feel proud of yourself. You're the exclusive owner of a "Mak".

Score: 0

By PC_Tool

posted Mar 30, 2008 - 4:06 PM

Heh...

One has to question if he actually has a Mac or not after that one.

Score: 0

By PC_Tool

edited Mar 28, 2008 - 12:42 PM

They're porting a program from one to another, one they are not entirely familiar with.

Things such as the 3 yr-old IE exploit will pop up. It's to be expected. As the app matures for the win32 platform (or better yet, the x64?) it will improve, just like every other peice of software out there.

So far, Safari4Win actually seems pretty decent. I'm still using Firefox, but it will be interesting to see what 4.0 looks like once they've nailed down the bigger issues.

..hopefully they'll switch to the windows font anti-aliasing. (A guy can dream, can't he?)

Ars Technica
Safari 3.1 for Windows continues to use the Mac OS X font anti-aliasing approach rather than the native font anti-aliasing system in Windows (ClearType). The result is text that is often fuzzy, particularly smaller text. Sometimes small text looks bold when it isn't.

Score: 0

By zridling

posted Mar 28, 2008 - 6:06 PM

God, Microsoft's turd coding infects everyone, and yet toolie blames it on the Apple folks. Way to go, toolie!
OWWWWWWWWWWWWWWWWWWWWW
The STUPID!!!!!! IT BURNS!!!!!! Ignore the troll. Remember, he has no life.

Score: 0

By PC_Tool

posted Mar 29, 2008 - 3:20 PM

From the website posted above:

PS: For all who don't know me, I'm Zaine Ridling, who:
— is not a programmer (I wish, but I don't have the brain for it);
— is a lazy, fat **** — I make no excuses there;
— is unemployed (see previous point);
— is poor and lives in a basement (see previous two points);
— is a proud atheist and liberal;
— loves the Free/Libre Open Source software (FLOSS) model.

Yeah, a real Hero. Zaine, get a life.

Score: 0

By SlapShot

posted Mar 29, 2008 - 12:33 PM

"Remember, i have no life"

fixed that for ya

Score: 0

By internetworld7

posted Mar 28, 2008 - 10:37 PM

Is that really a picture of PC_Tool at your blog?

Score: 0

By dvferret

posted Mar 28, 2008 - 10:56 PM

No, its actually a picture of zridling.

Score: 0

By Toolie's Muse

posted Mar 28, 2008 - 7:33 PM

Yep, they have left the cat portal open at Redmond, yet again.
This is not the real Toolie, it's his cat. Gave himself up a couple of posts ago.
There is no way the real Toolie would ever admint it using a non MSFT product.

Score: 0

By PC_Tool

posted Mar 29, 2008 - 3:21 PM

Zaine, really....

Replying to your own comments now?

Score: 0

By sumone

posted Mar 28, 2008 - 2:38 PM

They have added GDI rendering in the latest WebKit nightly.

Score: 0

By PC_Tool

posted Mar 28, 2008 - 3:01 PM

Good to hear.

Hope it stays in there for the next "public" release.

Score: 0

By SharedProphet

edited Mar 28, 2008 - 1:25 PM

The article says the exploit was for Safari running on a Mac...

Score: 0

By PC_Tool

edited Mar 28, 2008 - 2:05 PM

They describe, and even link to this advisory:

http://secunia.com/advisories/29483/

Funny how it specifically states on the page "Safari for Windows 3.x".

I'm guessing you're mistaken...or you didn't bother to read the whole story.

Score: 0

By Jordanr05

edited Mar 28, 2008 - 5:31 PM

I went to the conference here in Vancouver. It was Safari for the Mac.

Edit - nevermind I see where you're going with this. Lunch time...

Score: 0

By PC_Tool

posted Mar 29, 2008 - 3:19 PM

:p

Food always helps. :) Hope it was tasty.

Score: 0

By Maymne

posted Mar 28, 2008 - 3:33 PM

The new exploit was on a Mac. The Safari for Windows exploit is a separate issue, regarding the Java issues, that it says was discovered several days ago...

quote:
Yesterday, the latest Safari running on a MacBook Air actually went down first in a public contest for security engineers, just days after an Argentine researcher discovered that a very old JavaScript page spoofing routine could direct Safari for Windows to just about any address.

Score: 0

By kappen

edited Mar 31, 2008 - 9:30 AM

Java != Javascript. I see no mention that any of these exploits are from java. Javascript is built into browsers so if there is a javascript exploit its the browser and nothing else.

Score: 0

By PC_Tool

posted Mar 31, 2008 - 12:22 PM

*ding*

Score: 0

By PC_Tool

edited Mar 28, 2008 - 3:52 PM

FTFA:
In any event, last week's discovery that the latest version was susceptible to a simple page frame spoof may not be considered a "system compromise," though security firm Secunia saw fit to catalog it as "highly critical."

The words "highly critical" are a link to the above advisory I posted a direct link to.

The advisory was released the 24th of this month.

Man, you guys are on fire today. ;)

Score: 0

May 15 - 11:53 AM ET Adobe Flash Player 10 public beta now open

May 15 - 11:23 AM ET Icahn names Yahoo's dissident dream team, including Cuban, Biondi, Chapple

May 14 - 6:33 PM ET Now a British educational agency raises alarms on OXML

May 14 - 5:38 PM ET Tele Atlas buyout by TomTom okayed by EC, putting Navteq in play

May 14 - 5:30 PM ET Windows Live services for WM phones emerge from testing

May 14 - 4:17 PM ET Miniaturized GPS paves the way for new positioning applications

May 14 - 4:15 PM ET Google attempts to protect identities in Street View feature

May 14 - 4:12 PM ET Android faces a tougher battle, with Verizon and Mozilla backing LiMo

May 14 - 4:00 PM ET Google now offers real estate listings through Google Maps

May 14 - 3:32 PM ET RIAA demonstrates collegiate anti-piracy efforts