It has not been a good couple weeks for Apple and
Safari. First Opera knocked it from its position as sole 100
percent compatible Acid3 browser. Then it tried to force
iTunes users to unintentionally download the browser as part of an iTunes
update, which included a pre-checked install option for Safari. The move
was met with broad criticism, including from Mozilla's CEO, who commented that
Apple was bordering "on malware
distribution practices." Finally, Safari users who updated to v3.1 reported
many bugs and crashes.
Now the browser, which Apple CEO Steve Jobs once called the "most
innovative browser in the world and the most powerful browser in the
world", has had more bad news. At the CanSecWest Show,
an annual security conference, it was found that the Safari
browser was surprisingly insecure, allowing successful attacks on Mac
computers.
CanSecWest sponsors an annual hacking contest, which seeks to
recognize vulnerabilities and give a comparative analysis of OS security.
A Mac, Vista machine, and Ubuntu box survived the first round, which only
allowed pre-authentication attacks – a successful attack would have yielded a
$20,000 prize. However, on the second day, the flood gates were opened
and hackers were allowed to use default-installed client applications.
The Mac fell within minutes, hijacked by security researcher
Charlie Miller. Miller compromised the computer through security flaws in
the new Safari 3.1 browser, which he declined to make public. For his
takeover via the new vulnerability, Miller netted a sweet prize of
$10,000. Surprisingly, the hackers were unable to gain control of the
Vista or Ubuntu machines that day.
On the third day, hackers were allowed to exploit popular
third-party applications. Hackers found the Vista machine surprisingly
hard to crack in what they thought would be an "easy pickings"
day. The improved security is likely owing largely to SP1, perhaps
because of NX support for heap memory. In the end it was taken down by a
cross-platform Flash Player attack. The Ubuntu machine survived the day.
Some point that the Mac and others may be even more vulnerable
than the show indicates as some have noted that a pre-authentication
vulnerability might command a price of $50,000 or more elsewhere, making an
exploit at the show unprofitable. According to eWeek's security
analysts, "Safari is prone to a remote code-execution vulnerability
because it fails to adequately handle regular expressions with large, nested
repetition counts. Inaccurate compilation lengths are calculated, and an
overflow results."
Miller didn't even have to use new vulnerabilities also known
for Safari. The first is a simple overflow attack using zip files.
The second attack allows injection of content in a window belonging to a
trusted site.
A recent independent analysis confirmed that
Apple
patches its vulnerabilities slower than Microsoft. The analysis
followed a controversial Microsoft report by Jeff Jones, known
for trashing Firefox for its bugs. The report indicated that 36
vulnerabilities in Vista were fixed over a total of nine patching events, and
30 unpatched vulnerabilities remained, while a total of 116 vulnerabilities
were fixed in OS X over 17 patching events, with 41 unpatched vulnerabilities.
Apple's patches last year indicated Apple's slower than
acceptable patching pace. It included patches for four vulnerabilities
known since 2006 and two known since 2005. The oldest of these, a vulnerability
in Apache, had a fix released by Apache in 2005.
Security experts point out that despite Apple's poor security,
its machines remain less attacked than Windows machines. Many believe
this is simply a matter of market share. With Mac
sales on the rise, there may soon be a large increase in Apple-targeted malware
and takeovers with the Safari browsing taking the brunt of the attacks.