Robert Swiecki posted this information on both FD and Bugtraq today -
There is a vulnerability in Apple Safari, that allows an attacker to steal a cookie belonging to the arbitrary domain or/and fill the browser window with an arbitrary content, whereas the url bar and the browser'swindow title is derived from the selected domain.
The flaw exists in the javascript's window.setTimeout() implementation. The content of the timer-triggered function is processed afterwindow.location property is changed.
Tested with Apple Safari 3.0 (522.11.3) on MS Windows 2003 SE SP2
http://alt.swiecki.net/safc.html
----------------------------
Michal Zalewski, a well known vuln researcher, responded with this message -
Forgive me [for] the rant, but... all other recently reported problems aside, seeing this, I can only ask - which rock did Safari developers hide under for the past 8 years or so?
I mean... this is the type of a flaw you probably no longer even to test for because it seems too obvious - 'ping -l 65510' of the browser world...
-----------------------------
It seems that everyone agrees that Apple clearly did not conduct QA steps (fuzzing) that most in the industry consider "a given" before releasing a browser to the market. Beta or not.
Other vendors in the browser market have learned the security lesson of not fuzzing, why hasn't Apple?
In my mind, the people playing the "beta" card are attempting a smoke screen. It smells like a cop-out.
Almost twenty vulnerabilities discovered in a little more than a day, with almost 1/4 of them being seen as "Critical". This isn't a beta...this is a programming nightmare. This is Safari v3 folks, not some pre-v1 beta.
Firefox 3 is currently in Alpha stage and I highly doubt its source code points to such serious design flaws and lack of security understanding.
With that being said, there is a silver lining in all of this for Apple.
Apple has released Safari as beta. Serious flaws were discovered in record time...some publicly released, some not. Now Apple has a list of issues to fix BEFORE the userbase grows and these issues become a real PR problem.
Right now, all the Mac Faithful can play the "beta" card and Apple can lick its injuries while deciding what to do with the browser next. It is clear that Apple is not "up to speed" on current browser testing....which says something in general about Apple's view on security.
But in the end, the fast response from the security researchers will allow Apple to get away with the "beta" excuse. Apple will come out of this with minimal PR damage and a ton of free security/QA testing.
This will allow the Safari browser to grow more secure before it is deployed on the iPhone or with iTunes....and thus give it a greater chance to grab a foothold in the already crowded browser market.
No comments:
Post a Comment