Apple released version 3 of their popular Safari web browser today, with the added twist of offering both an OS X and a Windows version. Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser.
I downloaded and installed Safari for Windows 2 hours ago, when I started writing this, and I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a web site. I will not sell this one to ZDI or iDefense but instead release it here, as I have done lately with a number of 0day vulnerabilities. This place is where you get my latest research.
A bunch of other security researchers such as David Maynor and Aviv Raff have been pounding safariWin with their fuzzing tools, going through thousands upon thousands of test pages in the hopes of triggering some form of memory corruption for potential exploitation. I am a big fan of fuzzing and believe it can produce some tremendous results, but sometimes good old fashioned application specific knowledge can get you far.
The logic behind this vulnerability is quite simple and the vulnerability class has been known and understood for years, namely that of protocol handler command injection. A browser typically consists of a multitude of different URL schemes, some of which are handled by internal functions and others that are handed off to external applications. On the OS X platform Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on the Windows platform, namely intimate operating system knowledge. The integration with the originally intended operating system is tightly defined, but the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.-------------------------
Wow, I was wondering how many bugs would be found in the first couple of weeks...but I didn't think it would be that fast. Appears to be a pretty clear cut command injection via IFRAME.
This vuln combined with those possible bugs found by David and Aviv, you are looking at three or four vulns remote code execution bugs found in the first day....Day Zero.
A little birdy told me about a possible rumor that Apple plans to include Safari with iTunes in the future.
If this is true, then the install base would become huge and Apple is putting its browser directly in the aim of malware authors. As David points out in his blog, issues found in the Windows version of Safari can then be converted to the OS X Safari, therefore becoming Apple attack vectors.
Very interesting....I suggest you keep an eye open to see what will happen with these vulns in the next few days. Things could get really bad really fast...
No comments:
Post a Comment