backtop


Print 56 comment(s) - last by Gondorff.. on Apr 2 at 2:23 PM

Safari browser allows Mac to be easily taken over at hacker convention, Vista, Ubuntu machines survive the day

It has not been a good couple weeks for Apple and Safari.  First Opera knocked it from its position as sole 100 percent compatible Acid3 browser.  Then it tried to force iTunes users to unintentionally download the browser as part of an iTunes update, which included a pre-checked install option for Safari.  The move was met with broad criticism, including from Mozilla's CEO, who commented that Apple was bordering "on malware distribution practices."  Finally, Safari users who updated to v3.1 reported many bugs and crashes.

Now the browser, which Apple CEO Steve Jobs once called the "
most innovative browser in the world and the most powerful browser in the world", has had more bad news.  At the CanSecWest Show, an annual security conference, it was found that the Safari browser was surprisingly insecure, allowing successful attacks on Mac computers.

CanSecWest sponsors an annual hacking contest, which seeks to recognize vulnerabilities and give a comparative analysis of OS security.  A Mac, Vista machine, and Ubuntu box survived the first round, which only allowed pre-authentication attacks – a successful attack would have yielded a $20,000 prize.  However, on the second day, the flood gates were opened and hackers were allowed to use default-installed client applications.

The Mac fell within minutes, hijacked by security researcher Charlie Miller.  Miller compromised the computer through security flaws in the new Safari 3.1 browser, which he declined to make public.  For his takeover via the new vulnerability, Miller netted a sweet prize of $10,000.  Surprisingly, the hackers were unable to gain control of the Vista or Ubuntu machines that day.

On the third day, hackers were allowed to exploit popular third-party applications.  Hackers found the Vista machine surprisingly hard to crack in what they thought would be an "easy pickings" day.  The improved security is likely owing largely to SP1, perhaps because of NX support for heap memory.  In the end it was taken down by a cross-platform Flash Player attack.  The Ubuntu machine survived the day.

Some point that the Mac and others may be even more vulnerable than the show indicates as some have noted that a pre-authentication vulnerability might command a price of $50,000 or more elsewhere, making an exploit at the show unprofitable.  According to eWeek's security analysts, "Safari is prone to a remote code-execution vulnerability because it fails to adequately handle regular expressions with large, nested repetition counts. Inaccurate compilation lengths are calculated, and an overflow results."

Miller didn't even have to use new vulnerabilities also known for Safari.  The first is a simple overflow attack using zip files.  The second attack allows injection of content in a window belonging to a trusted site. 

A recent independent analysis confirmed that Apple patches its vulnerabilities slower than Microsoft.  The analysis followed a controversial Microsoft report by Jeff Jones, known for trashing Firefox for its bugs.  The report indicated that 36 vulnerabilities in Vista were fixed over a total of nine patching events, and 30 unpatched vulnerabilities remained, while a total of 116 vulnerabilities were fixed in OS X over 17 patching events, with 41 unpatched vulnerabilities.

Apple's patches last year indicated Apple's slower than acceptable patching pace.  It included patches for four vulnerabilities known since 2006 and two known since 2005.  The oldest of these, a vulnerability in Apache, had a fix released by Apache in 2005.

Security experts point out that despite Apple's poor security, its machines remain less attacked than Windows machines.  Many believe this is simply a matter of market share.  With Mac sales on the rise, there may soon be a large increase in Apple-targeted malware and takeovers with the Safari browsing taking the brunt of the attacks.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By Master Kenobi (blog) on 3/31/2008 1:24:39 PM , Rating: 5
I'm actually quite pleased to see Mac's security through obscurity model utterly destroyed... again...

In any case I am pleased that to break Vista down they had to use Flash (which has plenty of issues on its own).


By DASQ on 3/31/2008 2:28:42 PM , Rating: 5
Adobe.

Enough said.


By Goty on 3/31/2008 2:33:13 PM , Rating: 2
I was under the impression that it was a java vulnerability, not flash (I've read this on multiple other sites).


By Chadder007 on 3/31/2008 2:56:38 PM , Rating: 2
Thats what I read too. ??????


By Master Kenobi (blog) on 3/31/2008 3:24:07 PM , Rating: 5
It was actually a combination of Flash and Java (which is quite complex). In either case, neither Flash nor Java have ever been secure.


By tallcool1 on 3/31/2008 3:46:42 PM , Rating: 2
quote:
In any case I am pleased that to break Vista down they had to use Flash (which has plenty of issues on its own).
I'm just curious, why does this please you?


By Goty on 3/31/2008 3:58:20 PM , Rating: 2
Probably because that means someone had to resort to third-party code in order to breach the system, it was not an OS vulnerability.


By jvillaro on 3/31/2008 5:04:47 PM , Rating: 2
I think it's because everybody just says this and that about Micrsoft and its XP, Vista and IE security. And it's about time people start recognizing the improvements. It's not perfect but it's definetly much better than a couple of years ago. Also it kind of validates when people say that some security and stability isues are caused by flawed 3rd party software.


By jvillaro on 3/31/2008 4:55:01 PM , Rating: 2
I don't know about you guys, but ever since Adobe tookover Flash, it's just been awful even more than before. Internet Explorer hangups and gets pretty heavy when displaying flash.


By MonkeyPaw on 3/31/2008 5:53:42 PM , Rating: 2
Yes, and so much of the poorly written flash content is from advertisements. I can think of some from companies like IBM and CDW that loaded CPUs to 100%, making the system sluggish or unresponsive until it cycled through. Fortunately, Firefox with Adblock does wonders to quell all the crappy flash floating around out there.


By jvillaro on 3/31/2008 6:12:05 PM , Rating: 2
I also like firefox, but I use IE more. Just to know if anyone has had some issue. When I recently installed Firefox again and then installed the flash pluggin, flash stoped working oruninstalled in IE, WTF??? Is this common? Is there a work around? Was I high and didn't notice? Has anybody experienced this?


By glennpratt on 4/1/2008 10:45:23 AM , Rating: 2
No this isn't common and probably unrelated. The plug ins are totally separate (ActiveX vs Netscape style Plugin) and use different installers.

http://www.adobe.com/shockwave/download/alternates...


By psychobriggsy on 3/31/2008 5:16:54 PM , Rating: 2
Most likely the flaw that was exploited was in the open-source webkit component, sounds like it is in a parser if its to do with regular expressions.

Not exactly "security through obscurity". A lot of people seem to forget that Apple has open-sourced a lot of stuff (whilst keeping much of the stuff (cocoa, etc) that adds end-user value closed, of course).

Of course it could be in a deeper API, but then any other application that used that code would also be vulnerable.


By Flunk on 3/31/2008 10:35:03 PM , Rating: 2
Webkit is open-source because it has to be, it is based on code from the KDE project and the source must be made public on any derived works. Same with the code from the Darwin project, it must be made available because it is based on open-source FreeBSD code.

Apple provides sources only to portions of OS X they are legally required to.


By smitty3268 on 3/31/2008 10:44:06 PM , Rating: 2
You're correct, it was in part of the javascript library in Webkit.


“We do believe we have a moral responsibility to keep porn off the iPhone.” -- Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki