Apple Safari 3.1 - 1st Apr 2008 6:55pm
Safari browser allows Mac to be easily taken over at hacker convention, Vista, Ubuntu machines survive the day
It has not been a good couple weeks for Apple and Safari. First Opera knocked it from its position as sole 100 percent compatible Acid3 browser. Then it tried to force iTunes users to unintentionally download the browser as part of an iTunes update, which included a pre-checked install option for Safari. The move was met with broad criticism, including from Mozilla's CEO, who commented that Apple was bordering "on malware distribution practices." Finally, Safari users who updated to v3.1 reported many bugs and crashes.
Now the browser, which Apple CEO Steve Jobs once called the "most innovative browser in the world and the most powerful browser in the world", has had more bad news. At the CanSecWest Show, an annual security conference, it was found that the Safari browser was surprisingly insecure, allowing successful attacks on Mac computers.
CanSecWest sponsors an annual hacking contest, which seeks to recognize vulnerabilities and give a comparative analysis of OS security. A Mac, Vista machine, and Ubuntu box survived the first round, which only allowed pre-authentication attacks – a successful attack would have yielded a $20,000 prize. However, on the second day, the flood gates were opened and hackers were allowed to use default-installed client applications.
The Mac fell within minutes, hijacked by security researcher Charlie Miller. Miller compromised the computer through security flaws in the new Safari 3.1 browser, which he declined to make public. For his takeover via the new vulnerability, Miller netted a sweet prize of $10,000. Surprisingly, the hackers were unable to gain control of the Vista or Ubuntu machines that day.
On the third day, hackers were allowed to exploit popular third-party applications. Hackers found the Vista machine surprisingly hard to crack in what they thought would be an "easy pickings" day. The improved security is likely owing largely to SP1, perhaps because of NX support for heap memory. In the end it was taken down by a cross-platform Flash Player attack. The Ubuntu machine survived the day.
Some point that the Mac and others may be even more vulnerable than the show indicates as some have noted that a pre-authentication vulnerability might command a price of $50,000 or more elsewhere, making an exploit at the show unprofitable. According to eWeek's security analysts, "Safari is prone to a remote code-execution vulnerability because it fails to adequately handle regular expressions with large, nested repetition counts. Inaccurate compilation lengths are calculated, and an overflow results."
Miller didn't even have to use new vulnerabilities also known for Safari. The first is a simple overflow attack using zip files. The second attack allows injection of content in a window belonging to a trusted site.
A recent independent analysis confirmed that Apple patches its vulnerabilities slower than Microsoft. The analysis followed a controversial Microsoft report by Jeff Jones, known for trashing Firefox for its bugs. The report indicated that 36 vulnerabilities in Vista were fixed over a total of nine patching events, and 30 unpatched vulnerabilities remained, while a total of 116 vulnerabilities were fixed in OS X over 17 patching events, with 41 unpatched vulnerabilities.
Apple's patches last year indicated Apple's slower than acceptable patching pace. It included patches for four vulnerabilities known since 2006 and two known since 2005. The oldest of these, a vulnerability in Apache, had a fix released by Apache in 2005.
Security experts point out that despite Apple's poor security, its machines remain less attacked than Windows machines. Many believe this is simply a matter of market share. With Mac sales on the rise, there may soon be a large increase in Apple-targeted malware and takeovers with the Safari browsing taking the brunt of the attacks.
Sourced from Daily Tech
It has not been a good couple weeks for Apple and Safari. First Opera knocked it from its position as sole 100 percent compatible Acid3 browser. Then it tried to force iTunes users to unintentionally download the browser as part of an iTunes update, which included a pre-checked install option for Safari. The move was met with broad criticism, including from Mozilla's CEO, who commented that Apple was bordering "on malware distribution practices." Finally, Safari users who updated to v3.1 reported many bugs and crashes.
Now the browser, which Apple CEO Steve Jobs once called the "most innovative browser in the world and the most powerful browser in the world", has had more bad news. At the CanSecWest Show, an annual security conference, it was found that the Safari browser was surprisingly insecure, allowing successful attacks on Mac computers.
CanSecWest sponsors an annual hacking contest, which seeks to recognize vulnerabilities and give a comparative analysis of OS security. A Mac, Vista machine, and Ubuntu box survived the first round, which only allowed pre-authentication attacks – a successful attack would have yielded a $20,000 prize. However, on the second day, the flood gates were opened and hackers were allowed to use default-installed client applications.
The Mac fell within minutes, hijacked by security researcher Charlie Miller. Miller compromised the computer through security flaws in the new Safari 3.1 browser, which he declined to make public. For his takeover via the new vulnerability, Miller netted a sweet prize of $10,000. Surprisingly, the hackers were unable to gain control of the Vista or Ubuntu machines that day.
On the third day, hackers were allowed to exploit popular third-party applications. Hackers found the Vista machine surprisingly hard to crack in what they thought would be an "easy pickings" day. The improved security is likely owing largely to SP1, perhaps because of NX support for heap memory. In the end it was taken down by a cross-platform Flash Player attack. The Ubuntu machine survived the day.
Some point that the Mac and others may be even more vulnerable than the show indicates as some have noted that a pre-authentication vulnerability might command a price of $50,000 or more elsewhere, making an exploit at the show unprofitable. According to eWeek's security analysts, "Safari is prone to a remote code-execution vulnerability because it fails to adequately handle regular expressions with large, nested repetition counts. Inaccurate compilation lengths are calculated, and an overflow results."
Miller didn't even have to use new vulnerabilities also known for Safari. The first is a simple overflow attack using zip files. The second attack allows injection of content in a window belonging to a trusted site.
A recent independent analysis confirmed that Apple patches its vulnerabilities slower than Microsoft. The analysis followed a controversial Microsoft report by Jeff Jones, known for trashing Firefox for its bugs. The report indicated that 36 vulnerabilities in Vista were fixed over a total of nine patching events, and 30 unpatched vulnerabilities remained, while a total of 116 vulnerabilities were fixed in OS X over 17 patching events, with 41 unpatched vulnerabilities.
Apple's patches last year indicated Apple's slower than acceptable patching pace. It included patches for four vulnerabilities known since 2006 and two known since 2005. The oldest of these, a vulnerability in Apache, had a fix released by Apache in 2005.
Security experts point out that despite Apple's poor security, its machines remain less attacked than Windows machines. Many believe this is simply a matter of market share. With Mac sales on the rise, there may soon be a large increase in Apple-targeted malware and takeovers with the Safari browsing taking the brunt of the attacks.
Sourced from Daily Tech
