Forgot your password?
typodupeerror
Bug Businesses Security Apple

Apple Safari On Windows Broken On First Day 595

Posted by kdawson
from the bigger-they-come dept.
An anonymous reader writes "David Maynor, infamous for the Apple Wi-Fi hack, has discovered bugs in the Windows version of Safari mere hours after it was released. He notes in the blog that his company does not report vulnerabilities to Apple. His claimed catch for 'an afternoon of idle futzing': 4 DoS bugs and 2 remote execution vulnerabilities." Separately, within 2 hours Thor Larholm found a URL protocol handler command injection vulnerability that allows remote command execution.
This discussion has been archived. No new comments can be posted.

Apple Safari On Windows Broken On First Day

Comments Filter:
  • report vulnerabilities to Apple because he is a total fsckwad loser attention hound.

    Thanks for the news about the vunerabilities, Paris Maynor.
    • Yeah -- what the hell.

      I can understand not sitting on a vulnerability -- there are some valid points both for and against full disclosure -- but not notifying the company at all? WTF.

      This is the sort of stuff that just makes the whole IT security industry, and everyone involved in it, look dangerous and irresponsible.
      • by r00t (33219) on Monday June 11, 2007 @11:59PM (#19474097) Journal
        These things are worth a lot. Spammers, governments, mobsters... all will pay. You even get your choice of payment method:

        *euros
        *credit card numbers
        *yuan
        *underage virgins
        *dollars
        *shekels
        *death to your enemies
        *rubles
        *pounds, British money
        *pounds, crack cocaine

        Just be sure to not rip off the buyer. Most of the buyers have nasty ways to kill you. Some of them have polonium. Some of them have penis pills.
      • Re: (Score:3, Insightful)

        by Pc_Madness (984705)
        What does it matter..the total amount of Safari for Windows users is what? A few thousand? He was definitely irresponsible putting all of those people who decided to try out beta software in harms way. [/endsarcasm]

        What did he achieve? He managed to make Apple look stupid with their crap about how secure they are. He wasn't even trying and find holes in their software.

        Oh and I own two Macs before anyone calls me a fan boy of something else.
      • by SharpFang (651121) on Tuesday June 12, 2007 @08:02AM (#19476107) Homepage Journal
        Citing the blog:


        UPDATE 5: I've been asked what our disclosure policy is. Its pretty simple, in most cases we will give vendors as long as they need to fix problems. If the vendor is unresponsive or make threats, we will give them 30 days then release details. If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pentesting. We do not sell the vulnerabilities to any 3rd party.


        Seems the very likely scenario that they reported a critical vulnerablity and Apple tried to troubleshoot them "Is the network cable plugged in?" or "Our software is absolutely secure, your don't need to worry about it, our software has been throughoutly tested." or such. A security expert who gets flushed down the toilet by a marketoid is quite likely to hold a grudge against given company and report the following bugs elsewhere than said company.
    • by krswan (465308)
      I'm sure that Apple appreciates the volunteer work he has done on their beta software.
    • by AchiIIe (974900)
      Agreed, and I would also like to remind fellow slashdotters that Maynor did indeed fake the wifi hack,
      Here is a video I made debunking their proof: http://video.google.com/videoplay?docid=1468187717 11399295 [google.com]
      My guess is that they got a buffer overflow but had not yet found the correct location in memory to write their shellcode. They still have not...
    • by Qwerpafw (315600) on Tuesday June 12, 2007 @10:31AM (#19477517) Homepage
      Before people start jumping on you (oh, too late) they should look at any of Apple's security updates. Apple routinely credits the people who report vulnerabilities. The majority of "bugs" in security updates are patches to third party stuff from the OSS community, and Apple finds stuff internally, but if you report a vulnerability and Apple patches it they credit you.

      for example, in Security Update 2007-5 [apple.com]

      mDNSResponder

      CVE-ID: CVE-2007-2386

      Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9

      A remote attacker may be able to cause a denial of service or arbitrary code execution

      Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, a remote attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets. This issue does not affect systems prior to Mac OS X v10.4. Credit to Michael Lynn of Juniper Networks for reporting this issue.
      and

      VPN

      CVE-ID: CVE-2007-0753

      Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,Mac OS X v10.4.9, Mac OS X Server v10.4.9

      Impact: A local user may obtain system privileges

      Description: A format string vulnerability exists in vpnd. By running the vpnd command with maliciously crafted arguments, a local user can trigger the vulnerability which may lead to arbitrary code execution with system privileges. This update addresses the issue by performing additional validation of the arguments passed to vpnd. Credit to Chris Anley of NGSSoftware for reporting this issue.

      So shut up and read up before making up claims about how Apple hates security researchers.
  • by YowzaTheYuzzum (774454) on Monday June 11, 2007 @11:00PM (#19473625)
    ... it's a beta version.
    • Re: (Score:3, Interesting)

      by gbulmash (688770) *
      What makes me scratch my head... if these guys can find holes in a few hours, why can't Apple? It's not like these guys spent months to find some really obscure bug. They banged away with known attack vectors and got near-instant results. In a case like that, "it's a beta", particularly when it's been hyped at a big event, rings VERY hollow.

      IMO... If you release it quietly, so only the diehards are really pounding it, you can keep the "it's a beta" excuse. If you hype the release, you lose the excuse
      • by cgenman (325138) on Monday June 11, 2007 @11:53PM (#19474063) Homepage
        What makes me scratch my head... if these guys can find holes in a few hours, why can't Apple?

        Because 100,000k security researchers and hackers all typing away at keyboards will eventually write Shakespeare?

        I don't care how bright your engineers are or how well you've planned your security model, the moment you put it on the 'net it WILL be hacked. That doesn't mean it will stay hacked, so much as the task of securing a system against simulated internal attacks will uncover different problems than putting it in the wild.

      • Re: (Score:3, Insightful)

        by ceoyoyo (59147)
        Hm... I didn't see any TV commercials about Safari on Windows. I did hear about an announcement at an annual conference for developers.
      • by the pickle (261584) on Tuesday June 12, 2007 @12:23AM (#19474241) Homepage
        "if these guys can find holes in a few hours, why can't Apple?"

        David Maynor has a track record as a publicity whore first and legitimate security researcher second, so whether Maynor has actually found as many bugs as he claims to have found here is up for debate until he provides some more substantial proof. He also has a giant ax to grind after Apple embarrassed him in the AirPort bug fiasco. I'd take anything he says with a grain of salt until he gives me ample reason to trust him again.

        Nice policy, by the way: find bugs and don't ever report them to Apple. Because last time you claimed to have reported a bug, Apple exposed you as a liar, so now you just don't bother. That's brilliant. We need more people in the world with that kind of attitude. And Maynor wonders why people don't take him seriously as a "security researcher". The Blogspot-based announcement doesn't help either. That's like your company e-mail address being @hotmail.com.

        Thor Larholm, on the other hand, may well have found a legitimate bug. What with this being beta software and all, that's not too incredibly surprising. Equally serious bugs have been found in release versions of Firefox and IE, so I'm not sure what the big deal is here. If Safari 3 ships with these vulnerabilities still unfixed, then people should worry.

        p
      • by Grail (18233) on Tuesday June 12, 2007 @01:18AM (#19474529) Journal
        If the "known attack vector" is actually a bug in the Microsoft Windows JPEG handling API, will you still be crowing about Safari 3 for MS Windows being broken? Go have a look at the number of problems that exist for previous versions of Microsoft Windows XP, in particular relating to graphic formats of some kind or another.

        Besides, from the screenshot of the crash reporter, it's a null pointer dereference (not a heap overflow) - so sure, it's a remotely exploitable denial of service attack, but the browser crashes because the software has detected a problem and decides that the safest way out is to dump core. Let's all go tell the world how broken Safari 3 for MS Windows is!

        For example: http://www.trendmicro.com/vinfo/secadvisories/defa ult6.asp?VName=(MS06-078)+Vulnerability+in+Windows +Media+Format+Could+Allow+Remote+Code+Execution+(9 23689) [trendmicro.com]

        Have fun.
      • Why bother when... (Score:3, Insightful)

        by ivan256 (17499)
        ...you can release a public beta and have have thousands of publicity whores do top notch security analysis of your beta for free?
    • by LO0G (606364)
      Could you imagine the screams of outrage if Microsoft, Mozilla or Opera would have released a beta browser with those kinds of problems?

      Think about it - whileit's unquestionable that both Thor and David are very talented hackers, but they both indicated that they didn't even look very hard to find the problems they found.

    • by Jeff DeMaagd (2015) on Monday June 11, 2007 @11:36PM (#19473901) Homepage Journal
      Given the complaints I've seen elsewhere, I think that the quality is closer to alpha stage development. Usually, "public beta" is done on software that's almost ready for use, but has minor bugs. The reports I've seen are that there are a lot of serious bugs in rendering and stability, and now, major security problems.
      • Re: (Score:3, Informative)

        Given the complaints I've seen elsewhere, I think that the quality is closer to alpha stage development. Usually, "public beta" is done on software that's almost ready for use, but has minor bugs.

        The standard everywhere I've worked has been:

        • milestone - a development snapshot at some point for some feature set. Not feature complete or debugged.
        • alpha - not feature complete, not debugged. Significant milestone - let a partner company or two take a look and give feedback.
        • beta - feature complete - but not fully debugged, let selected users pound on it and find some more bugs.
        • release candidate - we think we have all the important bugs out, barring appearance a new, big one, we ship this.
        • gold maste
  • Uhhh...its beta? (Score:2, Informative)

    by protohiro1 (590732)
    I mean, you kind of expect there are going to be some bugs...this is a Good Thing and the reason you release a public beta, (in addition to getting buzz) you can shake out the bugs.
  • Wow (Score:5, Informative)

    by mabinogi (74033) on Monday June 11, 2007 @11:02PM (#19473639) Homepage
    Bugs in the first public beta release!
    Who would've thought it!

    Incidentally, it doesn't seem to like authenticating proxies at all, so my first experience with it was a bug too :/

    However, making a big deal of, but not reporting bugs found in a beta release of something seems more than a little silly.

    • by Aqua OS X (458522) on Tuesday June 12, 2007 @12:50AM (#19474397)
      This just in, nasty bugs were quickly discovered in the public beta of a newly ported app. Disappointment of outrageous expectations has now led to the death of several men living in their mothers' basements.

      It is assumed Apple realized this devastating "beta" because they hate freedom and want the terrorists to win... and they've now won.

      We will try to stay on top of this developing critical story.
      My god have mercy on us all.
  • I'm not surprised. Apple really doesn't write more secure code, they just have a lower market share and thus aren't as much of a target.

    And alot of their success at security on Mac OS is just them inheriting some of their security from the BSD kernel which I'm positive beats the hell out of the Windows kernel in terms of security.
  • OK the system requirements say that you need OS X 10.4.9, 256MB RAM, and 50 meg of disk space.

    I'm running 10.4.9, 1.25 GB RAM on a Powerbook G4, have 18 GB spare on my HD, yet the installer says:
    "You cannot install Safari Beta 3 on this volume. This volume doesn't meet the requirements for this update."

    Anyone else getting this error? Anyone know of a workaround? How can you tell why the installer is stopping?
    • Re: (Score:2, Informative)

      by Anonymous Coward
      Make sure your current copy of Safari is still in /Applications/. The beta won't install otherwise.
  • by lennier (44736) on Monday June 11, 2007 @11:12PM (#19473717) Homepage
    The quote is "an afternoon of idle _fuzzing_". As in fuzz testing [wikipedia.org].
  • by alta (1263) on Monday June 11, 2007 @11:16PM (#19473759) Homepage Journal
    Remote code execution 2.5 times faster than FF on windows!
  • Alpha or Beta? (Score:5, Informative)

    by eebra82 (907996) on Monday June 11, 2007 @11:22PM (#19473789) Homepage
    I was actually looking forward to try this browser out, but to my surprise, I could not even make it work.

    The installation was smooth without any unexpected bumps on the road. First when I loaded the program, I noticed that no menu fonts nor any fonts whatsoever on the web pages existed. To make it worse, the browser would crash every time I clicked on anything with interactivity, such as the stop button. I have read quite a few solutions to this problem but so far no success. I run Win XP SP2, btw.

    Anyway, there are more problems around the corner. According to the Apple forum, people can't play Windows Media files, dual monitor support is very buggy, some buttons screw up the GUI when pressed down and dragged, loads of spontaneous lockups, random letters appearing everywhere, installation problems, parental control issues and more. [apple.com]

    Also, I am not a big fan of customized GUI:s for crucial applications like a web browser. We should be able to use Windows ClearType instead of the ported OSX version (which sucks), and most importantly, we should be able to use the standard Windows themes. I don't get why Apple thinks the average Windows user would want a significantly altered browser that looks nothing like the rest of the operating system he or she is using. How would Mac users react if Internet Explorer was ported with the Windows theme?

    I think it looks like a promising project, but I am worried because it's not in Apple's nature to release beta software with so many bugs and so little heart put into it.
    • How would Mac users react if Internet Explorer was ported with the Windows theme?
      Ask them, IE 5 WAS ported with the windows theme. It wasnt until Office X that the MBU started designing things more along the lines of the Mac ascetic but even then, you can tell its a windows program.
      • Re: (Score:3, Funny)

        by bahstid (927038)
        No, no, no! Lynx has browser ascetic. You are thinking of aesthetic [google.co.jp]
      • Re: (Score:3, Insightful)

        by DrXym (126579)
        Ask them, IE 5 WAS ported with the windows theme.

        Well not entirely - IE 5 had a fruit flavoured theme to go with iMacs of the day, and the UI was distinctly Mac like. But Mac users have certainly gone batshit crazy over past versions of Office.

        Windows users tend to be more levelheaded and / or apathetic. Instead of protesting, they'll simply ignore Safari altogether. The Safari 3.0 UI in Vista is awful - totally nonstandard in every respect. It's bad enough to have an Aqua-esque theme foisted into iTun

    • Re: (Score:3, Funny)

      by SpeedyDX (1014595)

      How would Mac users react if Internet Explorer was ported with the Windows theme?
      If it's Internet Explorer, the theme would be the last thing I'd be worrying about.
    • Re: (Score:3, Interesting)

      by cowscows (103644)
      I have no inside knowledge of any of Apple's plans, but I wonder if they didn't sort of rush the Safari for Windows beta release to quell a bit of the noise that some people have been making about the lack of 3rd party development for the iPhone. Along with this new version of safari, Apple announced today that the way to get your app onto the iPhone is through web applications, and safari is what the iPhone is going to be running. And I guess they decided to release Safari for windows now, just to show tha
    • Re:Alpha or Beta? (Score:4, Insightful)

      by dangitman (862676) on Tuesday June 12, 2007 @05:04AM (#19475373)

      Also, I am not a big fan of customized GUI:s for crucial applications like a web browser. We should be able to use Windows ClearType instead of the por

      Well, firstly, there appears to be some bug with the Safari beta, possibly interacting with your Windows installation.

      But Cleartype? Man, that sucks. The worst thing about web browsing on Windows is that text looks like shit. It would be nice to have a Windows browser that does decent text display. This is a huge problem where I work - where web pages are often viewed on a data projector screen for a large audience. Some projectors are hooked up to a Mac, some hooked up to a Windows machine. The output from Windows machines is uniformly terrible - which makes me wonder why they even bother using Windows on machines that drive projectors. In contrast, the Mac web browsers look great. So, if Safari on Windows (if it works) hopefully will provide a way to have a decent way of rendering web pages on large screens, and help us escape the misery of Cleartype and Internet Explorer.

    • Re: (Score:3, Insightful)

      by drew (2081)

      I don't get why Apple thinks the average Windows user would want a significantly altered browser that looks nothing like the rest of the operating system he or she is using.

      I take it you haven't actually seen IE7 yet? Besides, somehow or other, they've convinced people to actually use iTunes on Windows, so maybe there is hope...
  • by lena_10326 (1100441) on Monday June 11, 2007 @11:22PM (#19473793) Homepage
    ..."that you should expect bugs in a BETA"

    Come on. You have to admit remote execution of any cmd is pretty bad even for a beta. This ain't your run of the mill bug, like a UI glitch or rendering type of bug. It makes the beta unusable and thus not a very useful beta. (Unless you're testing how your own trusted website looks under Safari.)
    • by mabinogi (74033) on Monday June 11, 2007 @11:31PM (#19473853) Homepage
      Well the point of a Beta release is to increase the userbase so as to increase the amount of testing.

      If they could guarantee they could get the security bugs out before releasing a Beta version, then they'd be able to guarantee they could get all the other bugs out too, so then it wouldn't be a Beta release, but a final release.

      You just have to accept that if a company has said "this is a beta release, it will have bugs", that it will have bugs - all types of bugs, not just "safe" bugs. Also, the severity of the effect of a bug has no correlation with how easy it is to locate.

      People have become way too complacent about trying beta quality software these days. Don't try it if you don't want to take the risk.
      • by lena_10326 (1100441) on Monday June 11, 2007 @11:44PM (#19473983) Homepage

        Well the point of a Beta release is to increase the userbase so as to increase the amount of testing.
        Yea. Increase the userbase. Of course, they just did the opposite and scared them away. Lesson here: never show your unfinished work. A first impression only comes once.

        You just have to accept that if a company has said "this is a beta release, it will have bugs", that it will have bugs - all types of bugs, not just "safe" bugs.
        A bug that lets any old script kiddie put up a page that can execute del /S c:\* on my PC is beyond the level of anyone's expectation of a bug. Why would I bother with Safari now? Sure. They'll release another, new, improved beta... bug free, but will I trust them?

        No.

        Even with a free beta I have a reasonable level of expectation. That the program not destroy my machine with basic usage. That the program not allow remote execution. That the program provide some core functionality as advertised. This version of Safari is well below those expectations.
      • by aepervius (535155)
        For a browser, to have "easily" testable major bug like remote execution, something which should have been caught a bit before. I disagree totally with the way this security "researcher" handled the bugs, but I also totally disagree taking off the slack because this is a beta. Bug found so quickly by testing a few known vulnerability in browser is something bad. With a big B. Smell of lack of security testing pre-beta.
  • by Bri3D (584578) on Monday June 11, 2007 @11:25PM (#19473815) Journal
    Apple includes CoreFoundation.dll and CoreGraphics.dll, which have the same exports as the OSX frameworks.
    Therefore it's possible to use the OSX CoreFoundation and CoreGraphics headers to link to the Windows DLLs natively and create native Windows "psuedo-OSX" apps.
    I believe CoreFoundation.dll has been around with WebObjects for Windows NT for a while, but I think CoreGraphics.dll is a new Apple "release" (I remember some anger over Apple not porting CoreGraphics when WebObjects/NT first came out).
    I've documented some of what I've poked around today (just a screenshot and simple description for the moment) at http://pages.brianledbetter.com/ [brianledbetter.com]
    • Re: (Score:3, Insightful)

      by BlueGecko (109058)
      Close. OpenStep for Windows NT made available FoundationKit and AppKit, which are the two major Objective-C frameworks of OS X and the core of Cocoa. They continued to be available on Windows through early versions of WebObjects 4, but are no longer available in any way from Apple. These are two of the frameworks that the GNUstep project [gnustep.org] aims to clone, with varying degrees of success.

      CoreFoundation and CoreGraphics are APIs that were new in OS X. CoreFoundation is an object-oriented C-based API designed tha
  • by AikonMGB (1013995) on Monday June 11, 2007 @11:37PM (#19473919) Homepage

    ... but the first thing that I thought of was that here you have an app (Safari) that works perfectly fine on Macs; as soon as it gets ported to Windows, BAM, instantly full of vulnerabilities. Would Apple go so far as to break their own product to deface an opponent in the OS arena?

    Aikon-

    • by TheVelvetFlamebait (986083) on Tuesday June 12, 2007 @12:13AM (#19474175) Journal
      Mac: Hello, I'm a Mac...
      PC: ...and I'm a PC.
      Mac is looking through a small viewfinder, looking very absorbed
      PC: Hey Mac.
      Mac: Yeah?
      PC: What are you doing?
      Mac: I'm browsing the internet with Safari.
      PC: I do the same thing with IE.
      Mac: You should try Safari. It's fast, secure, and easy to use.
      Mac hands the viewfinder to PC
      PC: Oh, thanks.
      PC looks into the viewfinder and keels over, dead
      Mac shrugs
  • by BRSloth (578824) <julio@@@juliobiason...net> on Monday June 11, 2007 @11:42PM (#19473965) Homepage Journal
    I wonder how many of those vulnerabilities are actually Safari/KHTML code and how many of those are Windows vulnerabilities.

    IIRC, Firefox had that "URL protocol handler command injection" vulnerability (or something around those lines, correct me if I'm wrong) a few years ago and FF developers said it was the way Windows handles protocols. In the end, they had to change the way URLs are handled inside FF to prevent Windows from catching it.
  • From here @ WWDC... (Score:5, Interesting)

    by catdevnull (531283) on Tuesday June 12, 2007 @01:16AM (#19474505)
    From what I can tell, Apple is jumping on the consumer bandwagon (or trying to)--it seems they're trying to increase the Webkit install base to raise the "awareness" factor for iPhone's web engine. From the sessions I went to today, it seems Apple is really pushing for Web 2.0 development. I was surprised by this--for a developer conference specifically for Apple's OS, there was this weird, eerie spell cast by the presenters for pushing web apps.

    The vibe amongst the attendees is a weird mix of disbelief and bewilderment. Safari for Windows was not the big deal Steve was hoping it would be. In fact, most of the conversations I've overheard are pretty critical of this direction.

    I don't think Apple is serious about competing for market share against FF or IE on Windows. I think they're offering the development platform based on Webkit so that web developers can make sure their code looks OK on the iPhone. Webkit-iness seems to be the only development platform for iPhone Apps.

    Or, maybe Steve is starting to drink his own Kool-Aid.
  • by Rolman (120909) on Tuesday June 12, 2007 @02:55AM (#19474969)
    Steve Jobs wondered while introducing Safari for Windows: "How good are we at bringing apps to Windows?"

    After reading "4 DoS bugs and 2 remote execution vulnerabilities", I'd say: "Pretty good!"
  • by DrXym (126579) on Tuesday June 12, 2007 @04:10AM (#19475211)
    Every single dialog box and effect is Aqua style. Even though both OS X and Windows XP / Vista have theme engines meaning there should be absolutely no reason at all for doing this. The engines allow apps to render their controls in the native style irrespective of how they are implemented. It's why Firefox in its default skin looks like a Windows app on Windows, like a Mac app on a Mac and so on - because rendering is handed off to the theme engine. Same happens for Java too. But not Safari it seems.
  • by eturro (804858) on Tuesday June 12, 2007 @05:21AM (#19475483)
    Thor Larholm's vulnerability example crashes Safari 3 on Mac OS X too.

Cobol programmers are down in the dumps.

Working...