Within hours of Apple launching a beta version of its
Safari browser for Windows, vulnerability researchers were picking
it apart for security holes. It didn't take them long to find
something.
Safari, long a part of Apple's Mac OS X operating system, is
often
touted by Mac enthusiasts as a more secure
alternative to the Internet Explorer browser that comes with
Windows machines. But some experts have warned of more
exploits against Apple products as they grow in popularity.
Denmark-based researcher Thor Larholm was among those to report
a problem with the new version of Safari Monday. He claimed to have
developed a fully-functional command execution vulnerability within
two hours of installing Safari on his computer, triggered simply by
visiting a Web site.
"Given that Apple has had a lousy track record with
security on [Mac] OS X, in addition to a hostile attitude
towards security researchers, a lot of people are expecting to see
quite a number of vulnerabilities targeted towards this new Windows
browser,"
Larholm wrote in his blog.
He noted that well-known researchers David Maynor and Aviv Raff
are also "pounding" Safari for flaws and are easily finding
problems. Maynor, co-founder and chief technology officer of
Atlanta-based Errata Security, wrote in the
Errata Security blog that his team found a
memory corruption flaw "in no time" using publicly-available
tools.
"I'd like to note that we found a total of six bugs in an
afternoon, four [denial-of-service] and two remote code execution
bugs," Maynor wrote. "We have weaponized one of those to be
reliable ... The bugs found in the beta copy of Safari on Windows
work on the production copy on [Mac] OS X as well. The exploit is
robust mostly thanks to the lack of any kind of advanced security
features in OS X."
In an email alert to customers of its DeepSight threat
management service, Cupertino, Calif.-based Symantec Corp. warned
that attackers could use at least one of the flaws to pass
arbitrary command line arguments to any application that can be
called through a protocol handler.
Of Larholm's discovery, Symantec said, "This specific
vulnerability relies on the use of IFRAME elements and is highly
extensible in destructive capabilities if used in conjunction with
Mozilla XPCOM components."
Specifically, Symantec said, "Safari does not properly sanitize
input passed through IFRAME elements, allowing a remote attacker to
pass arbitrary command line arguments to affected systems through
the use of URL protocol handlers available on the Windows
platform."
As a precaution, Symantec has recommended users avoid links
provided by unknown or untrusted sources; be wary of untrusted Web
sites and reject communications that originate from unknown or
untrusted sources. Users also should not open or accept unsolicited
HTML email, as it may provide an attack vector for numerous
vulnerabilities, Symantec said.