Slashdot Mirror
Apple Safari On Windows Broken On First Day
An anonymous reader writes "David Maynor, infamous for the Apple Wi-Fi hack, has discovered bugs in the Windows version of Safari mere hours after it was released. He notes in the blog that his company does not report vulnerabilities to Apple. His claimed catch for 'an afternoon of idle futzing': 4 DoS bugs and 2 remote execution vulnerabilities." Separately, within 2 hours Thor Larholm found a URL protocol handler command injection vulnerability that allows remote command execution.
... it's a beta version.
Bugs in the first public beta release!
:/
Who would've thought it!
Incidentally, it doesn't seem to like authenticating proxies at all, so my first experience with it was a bug too
However, making a big deal of, but not reporting bugs found in a beta release of something seems more than a little silly.
Advanced users are users too!
Yeah -- what the hell.
I can understand not sitting on a vulnerability -- there are some valid points both for and against full disclosure -- but not notifying the company at all? WTF.
This is the sort of stuff that just makes the whole IT security industry, and everyone involved in it, look dangerous and irresponsible.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Remote code execution 2.5 times faster than FF on windows!
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
I was actually looking forward to try this browser out, but to my surprise, I could not even make it work.
The installation was smooth without any unexpected bumps on the road. First when I loaded the program, I noticed that no menu fonts nor any fonts whatsoever on the web pages existed. To make it worse, the browser would crash every time I clicked on anything with interactivity, such as the stop button. I have read quite a few solutions to this problem but so far no success. I run Win XP SP2, btw.
Anyway, there are more problems around the corner. According to the Apple forum, people can't play Windows Media files, dual monitor support is very buggy, some buttons screw up the GUI when pressed down and dragged, loads of spontaneous lockups, random letters appearing everywhere, installation problems, parental control issues and more.
Also, I am not a big fan of customized GUI:s for crucial applications like a web browser. We should be able to use Windows ClearType instead of the ported OSX version (which sucks), and most importantly, we should be able to use the standard Windows themes. I don't get why Apple thinks the average Windows user would want a significantly altered browser that looks nothing like the rest of the operating system he or she is using. How would Mac users react if Internet Explorer was ported with the Windows theme?
I think it looks like a promising project, but I am worried because it's not in Apple's nature to release beta software with so many bugs and so little heart put into it.
Full Tilt
..."that you should expect bugs in a BETA"
Come on. You have to admit remote execution of any cmd is pretty bad even for a beta. This ain't your run of the mill bug, like a UI glitch or rendering type of bug. It makes the beta unusable and thus not a very useful beta. (Unless you're testing how your own trusted website looks under Safari.)
Camping on quad since 1996.
How about we try it this way:
Maynor claims to be a professional security researcher. One of the cornerstones of professionalism in that field is responsible disclosure of discovered vulnerabilities. Another is full disclosure of vulnerability details after a vendor has had a reasonable amount of time to correct the vulnerability. Yet another is working to advance the overall state of computer security. But Maynor has a track record of irresponsible, partial-at-best disclosure: he claims discovery of vulnerabilities while proclaiming that he will not report them to the vendor, and strives to hide the details of his discoveries from open review by his peers in the security community (for example, witness the endless controversy over the alleged MacBook wifi hack, all of which could have been settled quickly and objectively by simple peer review of the exploit he claimed to have used). And none of this can, so far as I can see, be construed as advancing the state of computer security in any fashion.
In other words, there is no sense of the word "professionalism" for his field which seems to be reasonably applicable to Maynor. Before you go screaming "ad hominem" or "Apple Fanboi", take note of two things:
I await your reply.
... but the first thing that I thought of was that here you have an app (Safari) that works perfectly fine on Macs; as soon as it gets ported to Windows, BAM, instantly full of vulnerabilities. Would Apple go so far as to break their own product to deface an opponent in the OS arena?
Aikon-
I wonder how many of those vulnerabilities are actually Safari/KHTML code and how many of those are Windows vulnerabilities.
IIRC, Firefox had that "URL protocol handler command injection" vulnerability (or something around those lines, correct me if I'm wrong) a few years ago and FF developers said it was the way Windows handles protocols. In the end, they had to change the way URLs are handled inside FF to prevent Windows from catching it.
Truth is, if the guy had reported the bugs/vulnerabilities to Apple, they more than likely would have done what they always do, wait months to push a fix out or just deny their existence altogether.
... "We don't think Apple will fix it, so we won't wait before announcing it". I could see that (though not agree with it). But "We don't think Apple will fix it, so we won't even TELL them about it" is totally irresponsible. The only "rational" interpretation of that is he actively wants to make it harder to improve the security of Safari.
Did you read the disclosure policy?
Keeping with our disclosure policy, we do not report bugs to Apple.
It doesn't say
Keeping with our disclosure policy, we do not wait for a response to the bugs we report.
If it said that, your comment would make sense. That would be something like
Do you have a better explanation, or a justification for that approach?
These things are worth a lot. Spammers, governments, mobsters... all will pay. You even get your choice of payment method:
*euros
*credit card numbers
*yuan
*underage virgins
*dollars
*shekels
*death to your enemies
*rubles
*pounds, British money
*pounds, crack cocaine
Just be sure to not rip off the buyer. Most of the buyers have nasty ways to kill you. Some of them have polonium. Some of them have penis pills.
They release a beta of a free product, the engine of which (and almost certainly where these bugs are located) is open source, and this "security researcher" finds a bug and refuses to report it. Deep throat he's not.
Mac: Hello, I'm a Mac... ...and I'm a PC.
PC:
Mac is looking through a small viewfinder, looking very absorbed
PC: Hey Mac.
Mac: Yeah?
PC: What are you doing?
Mac: I'm browsing the internet with Safari.
PC: I do the same thing with IE.
Mac: You should try Safari. It's fast, secure, and easy to use.
Mac hands the viewfinder to PC
PC: Oh, thanks.
PC looks into the viewfinder and keels over, dead
Mac shrugs
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
No better day to blow the whistle then the same day it's released. Much smaller chance of a user base being affected by it.
IMAGE VERIFICATION IS EVIL!
That is the responsibility they undertake, yes. They may or may not understand all the ins and outs, but it's their responsibility.
Based on the blog posting, they STILL don't know what's "in for them," since the vulnerabilities are still undisclosed. They remain in Maynor's to do list, for sale to the highest bidder for all we know.
If you're a linux or MS supporter, don't waste your breath defending this guy. He wasted a year of everybody's time on that Airport vulnerability that didn't exist.
Don't blame me, I voted for Baltar.
I didn't say he shouldn't report that there's a bug, I said that he should report the bug to Apple. The beta agreement probably requires that he do that, actually.
And if you're installing a beta then yes, you really should be aware that you're in for some bugs. It's very unfortunate that Google has diluted the meaning of "beta" so much.
Also note that he's not really failing to report a bug to Apple, he's failing to report it to the webkit/khtml open source project. I doubt very much the bugs are in Apple's closed source GUI front end to webkit.
I doubt URL handling is part of the KHTML/KJS renderer; responsibility for acquiring content in Konqueror is done in KIO, so Apple would have had to implement their own content acquisition scheme.
It is possible that the stack failure is in (KHTML/KJS)/WebKit - but as it's not been shown that these bugs apply to either Konqueror or Mac Safari, it's most unlikely that the stack failures are the result of the open portion of the code.
Anyway, as a news story, this is a null set; it's a public beta. It's there for the public to test it and report bugs. It's not a production browser.
I'd be curious, however, to see if these bugs are Windows-only (for example, Mac OS-X and KDE have a URL handling scheme built into the OS that wouldn't be available in Windows; it would need to be implemented as part of Win Safari), or if they apply equally to Windows and Mac.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
This just in, nasty bugs were quickly discovered in the public beta of a newly ported app. Disappointment of outrageous expectations has now led to the death of several men living in their mothers' basements.
It is assumed Apple realized this devastating "beta" because they hate freedom and want the terrorists to win... and they've now won.
We will try to stay on top of this developing critical story.
My god have mercy on us all.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
It's not present on Mac Safari, though the demo page does crash the Safari 3 Beta.
The main thing is how the URL handling works, under Windows Safari passes the URL to the Windows URL handler, which just finds the application and then dumps the rest on the command line, which gives many remote execution issues. Under MacOS the MacOS URL handler finds the application, and then dispatches an OpenURL AppleEvent (I think, similar to that anyway) towards the application, which then has the responsibility of parsing and loading the URL.
I'm guessing that the engineers didn't look too hard at how the OS deals with URLs and just assumed it would be safe.
--sitharus
From what I can tell, Apple is jumping on the consumer bandwagon (or trying to)--it seems they're trying to increase the Webkit install base to raise the "awareness" factor for iPhone's web engine. From the sessions I went to today, it seems Apple is really pushing for Web 2.0 development. I was surprised by this--for a developer conference specifically for Apple's OS, there was this weird, eerie spell cast by the presenters for pushing web apps.
The vibe amongst the attendees is a weird mix of disbelief and bewilderment. Safari for Windows was not the big deal Steve was hoping it would be. In fact, most of the conversations I've overheard are pretty critical of this direction.
I don't think Apple is serious about competing for market share against FF or IE on Windows. I think they're offering the development platform based on Webkit so that web developers can make sure their code looks OK on the iPhone. Webkit-iness seems to be the only development platform for iPhone Apps.
Or, maybe Steve is starting to drink his own Kool-Aid.
I might know what I'm talkin' about, but then again, this is Slashdot...
Offtopic:
I, like a lot of other web developers out there, wanted Safari for the purpose of adapting web pages to Yet Another Popular Browser's bugs.
So, what did I find when I downloaded Safari? The ridiculously useful debug menu was gone!
Now, all the docs on how to enable it are for Safari on the Mac, understandbly. What to do?
Kill Safari
Open C:\documents and Settings\[You]\Application Data\Apple Computer\Safari\Preferences.plist
Add, in what appears to be the logical place: IncludeDebugMenu1
Load Safari. Now developer-useful things like the Javascript Console are available to you.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
Slashdot stripped my XML. The line to add is, IncludeDebugMenu1
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
It's very unfortunate that Google has diluted the meaning of "beta" so much.
It's very unfortunate that the rest of the industry (especially MS) has diluted the meaning of "gone gold" so much. Gold is the new beta; beta is the new alpha.
Put identity in the browser.
No. But put it this way...
Let's say there's something built atop an open source library. Hey, there's plenty of them out there... let's pick OpenSSL as an example. It's open source and it's used in other projects, some of which are commercial or proprietary systems. Now assume that some company makes a proprietary, closed product built on that project as the core, but continue to contribute changes -- a heck of a lot of changes -- back to the original project as the develop. And then they release this as a beta.
Finally, let's say that someone finds a vulnerability in the proprietary project, a security issue with implications for the open source project. And instead of reporting the vulnerability to the proprietary folks (who would probably promptly generate a patch for both their tool and the underlying library, the person refuses to report the vulnerability to anyone and just says 'I found vulnerabilities, but I'm not telling you what they are.'
That's basically how WebKit/KHTML and Safari are tied together. Safari's just a UI atop an open source framework, WebKit, which Apple is the primary contributor to but which other people also contribute to, and which other projects (besides Safari and OS X) use. WebKit is used on Symbian OS, on Linux, and various other operating systems. And this guy is claiming to have found vulnerabilities which, given where they occur, seem to have implications for WebKit as well as Safari... and is refusing to give the details to either Apple, or to the WebKit development community.
You don't have to be an Apple 'fanboi' (or fangirl) to see that's not the way to handle security disclosures. If someone found several bugs in Firefox and said 'ZOMG I can crash Firefox or anything which uses the Gecko HTML engine. I can do it 100% of the time. But I'm not going to report the details to the Firefox team, so, nyah!' people would be up in arms about it.
Professional, good security researchers report things to the responsible parties, giving them the details necessary to fix it. Going, "Ha ha, I found a way to break your stuff but I'm not going to tell you how" is not only unprofessional, it's just downright immature.
Sure, lambaste Apple for releasing a beta/preview of something with bugs if you feel you must. But, please, don't bother trying to defend someone who basically makes a mockery of the entire security field.
--Rachel
Steve Jobs wondered while introducing Safari for Windows: "How good are we at bringing apps to Windows?"
After reading "4 DoS bugs and 2 remote execution vulnerabilities", I'd say: "Pretty good!"
- Otaku no naka no otaku, otaking da!!!
Every single dialog box and effect is Aqua style. Even though both OS X and Windows XP / Vista have theme engines meaning there should be absolutely no reason at all for doing this. The engines allow apps to render their controls in the native style irrespective of how they are implemented. It's why Firefox in its default skin looks like a Windows app on Windows, like a Mac app on a Mac and so on - because rendering is handed off to the theme engine. Same happens for Java too. But not Safari it seems.
Or how about everyone stop treating their choice of operating system as a religion? Hmm?
I just read Slashdot for the articles.
Thor Larholm's vulnerability example crashes Safari 3 on Mac OS X too.
Quidnam Latine loqui modo coepi?
So when are you coming back for your second dose of moderation? Or do I get to steal them because I beat you to it? Informative surely *fingers crossed*
Strength through redundancy and over-design
Do you have a better explanation, or a justification for that approach? [note: I'm not the 'you' referred to in the parent]
Why would someone announce that he's found a vulnerability but refuse to disclose it to the vendor? Some ideas:
a) He wants to hurt the reputation of the product/vendor. (This doesn't even require the existence of a real vulnerability.)
b) He wants to sell the specifics vulnerability, either to the vendor or to the highest bidder (in which case, this is advertising).
c) He doesn't care about the security side of things, he's just earning himself some free PR on sites like this which will publish his unsupported claims uncritically.
d) This is his idea of fun.
Anything I've missed?
Strange women lying in ponds distributing swords is no basis for a system of government.
Citing the blog:
UPDATE 5: I've been asked what our disclosure policy is. Its pretty simple, in most cases we will give vendors as long as they need to fix problems. If the vendor is unresponsive or make threats, we will give them 30 days then release details. If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pentesting. We do not sell the vulnerabilities to any 3rd party.
Seems the very likely scenario that they reported a critical vulnerablity and Apple tried to troubleshoot them "Is the network cable plugged in?" or "Our software is absolutely secure, your don't need to worry about it, our software has been throughoutly tested." or such. A security expert who gets flushed down the toilet by a marketoid is quite likely to hold a grudge against given company and report the following bugs elsewhere than said company.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Ah, I see. So this is a religious thing. I wont bother arguing then.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
And "no longer supported" is the new gold.
"The Adobe Updater must update itself before it can check for updates. Would you like to update the Adobe Updater now?"