Apple Safari On Windows Broken On First Day

← Back to Stories (view on slashdot.org)

Apple Safari On Windows Broken On First Day

Posted by kdawson on Monday June 11, 2007 @02:57PM from the bigger-they-come dept.

An anonymous reader writes "David Maynor, infamous for the Apple Wi-Fi hack, has discovered bugs in the Windows version of Safari mere hours after it was released. He notes in the blog that his company does not report vulnerabilities to Apple. His claimed catch for 'an afternoon of idle futzing': 4 DoS bugs and 2 remote execution vulnerabilities." Separately, within 2 hours Thor Larholm found a URL protocol handler command injection vulnerability that allows remote command execution.

13 of 595 comments (clear)

Min score:

Reason:

Sort:

Maybe that's because... by YowzaTheYuzzum · 2007-06-11 15:00 · Score: 5, Insightful

... it's a beta version.
1. Re:Maybe that's because... by the+pickle · 2007-06-11 16:23 · Score: 5, Insightful
  
  "if these guys can find holes in a few hours, why can't Apple?"
  
  David Maynor has a track record as a publicity whore first and legitimate security researcher second, so whether Maynor has actually found as many bugs as he claims to have found here is up for debate until he provides some more substantial proof. He also has a giant ax to grind after Apple embarrassed him in the AirPort bug fiasco. I'd take anything he says with a grain of salt until he gives me ample reason to trust him again.
  
  Nice policy, by the way: find bugs and don't ever report them to Apple. Because last time you claimed to have reported a bug, Apple exposed you as a liar, so now you just don't bother. That's brilliant. We need more people in the world with that kind of attitude. And Maynor wonders why people don't take him seriously as a "security researcher". The Blogspot-based announcement doesn't help either. That's like your company e-mail address being @hotmail.com.
  
  Thor Larholm, on the other hand, may well have found a legitimate bug. What with this being beta software and all, that's not too incredibly surprising. Equally serious bugs have been found in release versions of Firefox and IE, so I'm not sure what the big deal is here. If Safari 3 ships with these vulnerabilities still unfixed, then people should worry.
  
  p
  
  --
  In Korea, long hair is for old people!
Re:He notes in the blog that his company does not by Kadin2048 · 2007-06-11 15:03 · Score: 5, Insightful

Yeah -- what the hell.

I can understand not sitting on a vulnerability -- there are some valid points both for and against full disclosure -- but not notifying the company at all? WTF.

This is the sort of stuff that just makes the whole IT security industry, and everyone involved in it, look dangerous and irresponsible.

--
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
So many keep saying "but it's a BETA" by lena_10326 · 2007-06-11 15:22 · Score: 5, Insightful

..."that you should expect bugs in a BETA"

Come on. You have to admit remote execution of any cmd is pretty bad even for a beta. This ain't your run of the mill bug, like a UI glitch or rendering type of bug. It makes the beta unusable and thus not a very useful beta. (Unless you're testing how your own trusted website looks under Safari.)

--
Camping on quad since 1996.
Re:He notes in the blog that his company does not by ubernostrum · 2007-06-11 15:28 · Score: 5, Insightful
I wondered who'd be the first to launch an ad hominem attack - and look, right in the first comment.

How about we try it this way:

Maynor claims to be a professional security researcher. One of the cornerstones of professionalism in that field is responsible disclosure of discovered vulnerabilities. Another is full disclosure of vulnerability details after a vendor has had a reasonable amount of time to correct the vulnerability. Yet another is working to advance the overall state of computer security. But Maynor has a track record of irresponsible, partial-at-best disclosure: he claims discovery of vulnerabilities while proclaiming that he will not report them to the vendor, and strives to hide the details of his discoveries from open review by his peers in the security community (for example, witness the endless controversy over the alleged MacBook wifi hack, all of which could have been settled quickly and objectively by simple peer review of the exploit he claimed to have used). And none of this can, so far as I can see, be construed as advancing the state of computer security in any fashion.

In other words, there is no sense of the word "professionalism" for his field which seems to be reasonably applicable to Maynor. Before you go screaming "ad hominem" or "Apple Fanboi", take note of two things:
1. All I've criticized here are the man's methods, not the man himself. I don't even speculate to his motives for operating the way he does.
2. I'm typing this on a MacBook Pro, and I do like both it and the operating system it runs, but neither are particularly essential to me -- at this point I can move between (Unix-y) operating systems with relative ease, and occasionally do as needed (prior to this MacBook, I used various forms of Linux exclusively for about six years, and still use them on a regular basis. The only OS I have a prejudice against is Windows, and I've even got that available, virtualized, when I need to test things in it).
I await your reply.
Maybe I need a tinfoil hat... by AikonMGB · 2007-06-11 15:37 · Score: 5, Insightful

... but the first thing that I thought of was that here you have an app (Safari) that works perfectly fine on Macs; as soon as it gets ported to Windows, BAM, instantly full of vulnerabilities. Would Apple go so far as to break their own product to deface an opponent in the OS arena?

Aikon-
Re:He notes in the blog that his company does not by argent · 2007-06-11 15:52 · Score: 5, Insightful

Truth is, if the guy had reported the bugs/vulnerabilities to Apple, they more than likely would have done what they always do, wait months to push a fix out or just deny their existence altogether.

Did you read the disclosure policy?

Keeping with our disclosure policy, we do not report bugs to Apple.

It doesn't say

Keeping with our disclosure policy, we do not wait for a response to the bugs we report.

If it said that, your comment would make sense. That would be something like ... "We don't think Apple will fix it, so we won't wait before announcing it". I could see that (though not agree with it). But "We don't think Apple will fix it, so we won't even TELL them about it" is totally irresponsible. The only "rational" interpretation of that is he actively wants to make it harder to improve the security of Safari.

Do you have a better explanation, or a justification for that approach?
Re:shooting the messenger is now + 5 insightful? by ceoyoyo · 2007-06-11 16:12 · Score: 5, Insightful

They release a beta of a free product, the engine of which (and almost certainly where these bugs are located) is open source, and this "security researcher" finds a bug and refuses to report it. Deep throat he's not.
Re:He notes in the blog that his company does not by lordsid · 2007-06-11 16:19 · Score: 5, Insightful

No better day to blow the whistle then the same day it's released. Much smaller chance of a user base being affected by it.

--
IMAGE VERIFICATION IS EVIL!
Re:shooting the messenger is now + 5 insightful? by iluvcapra · 2007-06-11 16:34 · Score: 5, Insightful

or you sincerely believe most folks that install stuff know what they are doing?

That is the responsibility they undertake, yes. They may or may not understand all the ins and outs, but it's their responsibility.

so then it is better that people don't know what's in for them when installing it, right?

Based on the blog posting, they STILL don't know what's "in for them," since the vulnerabilities are still undisclosed. They remain in Maynor's to do list, for sale to the highest bidder for all we know.

If you're a linux or MS supporter, don't waste your breath defending this guy. He wasted a year of everybody's time on that Airport vulnerability that didn't exist.

--
Don't blame me, I voted for Baltar.
Re:shooting the messenger is now + 5 insightful? by ceoyoyo · 2007-06-11 16:38 · Score: 5, Insightful

I didn't say he shouldn't report that there's a bug, I said that he should report the bug to Apple. The beta agreement probably requires that he do that, actually.

And if you're installing a beta then yes, you really should be aware that you're in for some bugs. It's very unfortunate that Google has diluted the meaning of "beta" so much.

Also note that he's not really failing to report a bug to Apple, he's failing to report it to the webkit/khtml open source project. I doubt very much the bugs are in Apple's closed source GUI front end to webkit.
Re:shooting the messenger is now + 5 insightful? by Sparks23 · 2007-06-11 18:12 · Score: 5, Insightful

No. But put it this way...

Let's say there's something built atop an open source library. Hey, there's plenty of them out there... let's pick OpenSSL as an example. It's open source and it's used in other projects, some of which are commercial or proprietary systems. Now assume that some company makes a proprietary, closed product built on that project as the core, but continue to contribute changes -- a heck of a lot of changes -- back to the original project as the develop. And then they release this as a beta.

Finally, let's say that someone finds a vulnerability in the proprietary project, a security issue with implications for the open source project. And instead of reporting the vulnerability to the proprietary folks (who would probably promptly generate a patch for both their tool and the underlying library, the person refuses to report the vulnerability to anyone and just says 'I found vulnerabilities, but I'm not telling you what they are.'

That's basically how WebKit/KHTML and Safari are tied together. Safari's just a UI atop an open source framework, WebKit, which Apple is the primary contributor to but which other people also contribute to, and which other projects (besides Safari and OS X) use. WebKit is used on Symbian OS, on Linux, and various other operating systems. And this guy is claiming to have found vulnerabilities which, given where they occur, seem to have implications for WebKit as well as Safari... and is refusing to give the details to either Apple, or to the WebKit development community.

You don't have to be an Apple 'fanboi' (or fangirl) to see that's not the way to handle security disclosures. If someone found several bugs in Firefox and said 'ZOMG I can crash Firefox or anything which uses the Gecko HTML engine. I can do it 100% of the time. But I'm not going to report the details to the Firefox team, so, nyah!' people would be up in arms about it.

Professional, good security researchers report things to the responsible parties, giving them the details necessary to fix it. Going, "Ha ha, I found a way to break your stuff but I'm not going to tell you how" is not only unprofessional, it's just downright immature.

Sure, lambaste Apple for releasing a beta/preview of something with bugs if you feel you must. But, please, don't bother trying to defend someone who basically makes a mockery of the entire security field.

--
--Rachel
Re:shooting the messenger is now + 5 insightful? by Nullav · 2007-06-11 20:47 · Score: 5, Insightful

Or how about everyone stop treating their choice of operating system as a religion? Hmm?

--
I just read Slashdot for the articles.