July 8th, 2008
Apple hasn't learned from past security mistakes
* Ryan Naraine is on vacation.
Guest editorial by Aviv Raff
Apple’s Safari for Windows is a nice browser. It really is. It has slick user interface, some pretty cool features, and benchmarks show that it is really fast. But, saying that it is “secured from day one” is simply not true, to say the least.
Unfortunately, Apple forgot to do the first thing you learn when you get a sunburn — learn from past mistakes, especially if they were made by others. The following are three prominent examples:
Automatic File Download
This issue is pretty simple. You visit a Web site and, without your confirmation, Apple downloads a file to your computer. Asking Apple to fix this issue was first treated as a “enhancement request.” This security hiccup was discovered by laurent gaffie, and then again, in a different variation, by Nitesh Dhanjani.
According to CVE-2007-4424:
“…it could be argued that this is not a vulnerability because a dangerous file is not actually launched, but as of 2007, it is generally accepted that Web browsers should prompt users before saving dangerous content…”
Also, as already confirmed by Apple, this vulnerability can be used in a blended attack to automatically execute arbitrary code from remote, without user interaction. Strike one!
Let’s move on…
Browser Fuzzing
July 2006’s Month of Browser bugs was all about fuzzing. During this month and afterwards, several browser fuzzing tools were released by HD Moore, Matthew Murphy, Thierry Zoller and I. Hamachi, CSS-Die, DOM-Hanoi and AxMan, were freely available to the public.
Going a year forward, Apple Safari for Windows was released. A few hours later, several critical bugs were found, simply by using the publicly available browser fuzzing tools.
Nothing more to add!
Cache and Cookies Predictable Location
Last but not least, a new design flaw. Apple Safari for Windows keeps the Cache and Cookies in files at a predictable location. This design flaw was already researched in the past by several security researchers. This is exactly why the Temporary Internet Files of Internet Explorer are saved in random directories, and Firefox generates a random name for the profile directory.
But not in Apple Safari for Windows. The cache.db (SQLite database file) and cookies.plist (XML file) are saved in the user profile directory under a static named directory.
Think about a new blended threat, where it is possible to load an local XML file from remote (was possible in the past in other browsers), and in combination with this design flaw, an attacker can easily steal all of the user’s cookies and hijack browser sessions.
Should we say more?
In conclusion, before porting the Safari browser from Mac to Windows, Apple should have looked at past browser vulnerabilities and design flaws, and really try to avoid them.
The examples above show that Apple didn’t learn anything from past mistakes.
* Aviv Raff manages a security research team for a Fortune 500 company. You can read about his research at his blog or follow his daily activities on Twitter.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
