Security researcher Thor Larholm has found what might be the first remote code execution vulnerability in Apple's shiny new Safari for Windows.
Larholm (left) has released an advisory with proof-of-concept code to demo the vulnerability, which can be used to take complete control of a Windows PC if the user simply surfs to a Web page.
Click here for a demo of the flaw, which triggers a Safari crash and bounces through Firefox via the Gopher protocol.
The logic behind this vulnerability is quite simple and the vulnerability class has been known and understood for years, namely that of protocol handler command injection. A browser typically consists of a multitude of different URL schemes, some of which are handled by internal functions and others that are handed off to external applications. On the OS X platform Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on the Windows platform, namely intimate operating system knowledge. The integration with the originally intended operating system is tightly defined, but the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.
Although the proof-of-concept exploit is launched via Firefox installed on the victim machine, Larholm makes it clear that this is a problem in Safari for Windows. In an interview over IM, he said he did not test the exploit on the Mac OS X platform.
It is important to know that, even though this PoC exploit uses Firefox, the actual vulnerability is within the lack of input validation for the command line arguments handed to the various URL protocol handlers on your machine. As such, there are a lot of different attack vectors for this vulnerability, I simply chose Firefox and the Gopher URL protocol because I was familiar with these.
Larholm isn't the only hacker pounding on the new browser. Within hours of the beta release, two researchers -- David Maynor and Aviv Raff -- used fuzzers to find memory corruption bugs that may be exploitable.
[UPDATE: June 12 2007 @ 9:15 AM] An addendum from David Maynor on his findings:
I'd like to note that we found a total of 6 bugs in an afternoon, 4 DoS and 2 remote code execution bugs. We have weaponized one of those to be reliable and its diffrent that what Thor has found. I can't speak for anybody else but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well (same code base for a lot of stuff).