Apple hasn't learned from past security mistakes

Apple hasn't learned from past security mistakes

Summary: * Ryan Naraine is on vacation. Guest editorial by Aviv Raff Apple's Safari for Windows is a nice browser.

SHARE:

* Ryan Naraine is on vacation.

Guest editorial by Aviv Raff

Apple hasnÂ’t learned from past security mistakesApple's Safari for Windows is a nice browser. It really is. It has slick user interface, some pretty cool features, and benchmarks show that it is really fast. But, saying that it is "secured from day one" is simply not true, to say the least.

Unfortunately, Apple forgot to do the first thing you learn when you get a sunburn -- learn from past mistakes, especially if they were made by others. The following are three prominent examples:

Automatic File Download

This issue is pretty simple. You visit a Web site and, without your confirmation, Apple downloads a file to your computer. Asking Apple to fix this issue was first treated as a "enhancement request."  This security hiccup was discovered by laurent gaffie, and then again, in a different variation, by Nitesh Dhanjani.

According to CVE-2007-4424:

"…it could be argued that this is not a vulnerability because a dangerous file is not actually launched, but as of 2007, it is generally accepted that Web browsers should prompt users before saving dangerous content…"

Also, as already confirmed by Apple, this vulnerability can be used in a blended attack to automatically execute arbitrary code from remote, without user interaction.  Strike one!

Let's move on…

Browser Fuzzing

July 2006’s Month of Browser bugs was all about fuzzing. During this month and afterwards, several browser fuzzing tools were released by HD Moore, Matthew Murphy, Thierry Zoller and I. Hamachi, CSS-Die, DOM-Hanoi and AxMan, were freely available to the public.

Going a year forward, Apple Safari for Windows was released. A few hours later, several critical bugs were found, simply by using the publicly available browser fuzzing tools.

Nothing more to add!

Cache and Cookies Predictable Location

Last but not least, a new design flaw. Apple Safari for Windows keeps the Cache and Cookies in files at a predictable location. This design flaw was already researched in the past by several security researchers. This is exactly why the Temporary Internet Files of Internet Explorer are saved in random directories, and Firefox generates a random name for the profile directory.

But not in Apple Safari for Windows. The cache.db (SQLite database file) and cookies.plist (XML file)  are saved in the user profile directory under a static named directory.

Think about a new blended threat, where it is possible to load an local XML file from remote (was possible in the past in other browsers), and in combination with this design flaw, an attacker can easily steal all of the user's cookies and hijack browser sessions.

Should we say more?

In conclusion, before porting the Safari browser from Mac to Windows, Apple should have looked at past browser vulnerabilities and design flaws, and really try to avoid them.

The examples above show that Apple didn't learn anything from past mistakes.

* Aviv Raff manages a security research team for a Fortune 500 company. You can read about his research at his blog or follow his daily activities on Twitter.

Topics: Windows, Apple, Browser, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

30 comments
Log in or register to join the discussion
  • To sum up

    Safari is insecure because other software has exploits.

    Do you get dizzy much from spinning so fast?
    frgough
    • Wow

      Clearly you are missing the bigger picture. Apple's had more problems than just with Safari. Also, keep in mind a majority of the issues you are writing off as someone else's problem would never have existed if not for the automatic download by Safari.

      -Nate
      nmcfeters
      • I'm not missing the bigger picture at all

        Apple's rotten software is Quicktime. It's a mess. I'm glad to
        hear it will be scrapped and replaced with Snow Leopard.

        But to sit here and say Safari has design flaws because hackers
        can use Safari as a vector to access exploits in other software is
        disingenuous to say the least.

        The autodownload feature for Safari IS a harmless annoyance.

        EXCEPT that Explorer has a critical security hole in that it can
        be tricked into automatically running programs without user
        interaction.

        Your credibility dropped into the toilet the moment you threw
        the blame at Safari for an explorer flaw.
        frgough
        • You're wasting your time

          pointing the finger. I don't care if its Apple or Microsoft responsible, at the end of the day, you have a security problem to fix. I am aware that the article chose to focus on Apple's role in this, and they are culpable to some extent. If my 5-year-old gets in my car and drives it into my neighbor's house, it isn't the fault of the car manufacturer. But if the car had a push-button start, then the car maker could have done something to discourage what happened. Obviously, that is one reason why they don't make cars with push-button start. Can't the same be said for automatic file download in a web browser?
          Real World
          • Push button starting

            [i]is one reason why they don't make cars with push-button start[/i]

            They do, actually. You still need to have the fob with you, though.
            tikigawd
        • WHAT?!

          You see no problem at all with someone being forced to download executable content to their desktop? No problem at all really?

          Fine, enjoy that feature of Safari.

          I think most sensible people that have knowledge and "credibility" as you say in the computer security world would agree that this is a bad thing. We should be making choices that help people prevent themselves from getting hacked, not allowing hackers to drop executable content on their desktop for them to click.

          -Nate
          nmcfeters
        • i thought

          Snow Leopard was the next gen version of the OS, not a media player??? did i miss something?
          richvball44
        • "The autodownload feature for Safari IS a harmless annoyance." NOT

          The IE exploit aspect is Microsoft's fault. But even if there were no such exploit, automatically downloading arbitrary content and putting it on the desktop is FLAGRANTLY DANGEROUS.

          Simply by visiting a web site, an item can be placed on your desktop WITHOUT your knowledge, which has both a NAME and an ICON that are under the control of the provider, NOT THE USER!

          How in the name of God can you possibly not see the danger of this?

          Harmless annoyance? No.

          It's a HUGE security risk. Period.
          End. Of. Discussion.
          bmerc
    • "Safari is insecure because other software has exploits."

      Ignore the IE aspect. Focus just on one fact.

      Apple decided to allow arbitrary strangers to install arbitrary executable code on your computer. That's an undeniable fact which you have already admitted.

      Automatically downloading executable files and putting them on the user's desktop without express permission is just pure, unadulterated STUPIDITY.
      You can deny this all you want, but it doesn't change the fact that it IS a security risk.

      Don't believe me. Ask any security consultant.

      It's completely indefensible.
      bmerc
  • RE: Apple hasn't learned from past security mistakes

    It probably has more to do with Apple being used to abiding
    by what is considered normal security obligations on Mac OS
    X. Apple doesn't need to learn from past "mistakes" as much
    as it simply needs to remind themselves they're writing
    software for Microsoft Windows.
    Dan Palka
    • Yeah, you think so?

      http://projects.info-pull.com/moab/
      nmcfeters
      • Yeah

        Another area Apple has to work on is getting the open source
        third-party stuff they bundle with OS X updated in a more
        timely manner. Or weren't you aware that most of that list you
        linked is open source stuff (like bonjour).

        In fact, the Pwn2Own contestants cheated to win the Macbook
        Air. They used a known exploit in Perl that they knew Apple
        hadn't patched yet because Apple was still using the old
        libraries.

        So, basically, Apple needs to scrap Quicktime and replace it
        with something written less than 20 years ago, and make sure
        they patch their open source libraries more frequently.

        But, of course, that kind of reasoned headline doesn't grab
        clicks.
        frgough
        • WHAT?!

          So now you are saying it's open source's fault? I've never heard Linux users claim something so ridiculous.

          How about the iphoto format string flaw I pointed out? That's not third-party and it's not open source.

          I hate when people can't admit their own mistakes. Apple's made some too. Let's drop the fanboy level down to an acceptable level please.

          -Nate
          nmcfeters
          • Don't insult Linux users

            [i]I've never heard Linux users claim something so ridiculous.[/i]

            frgough is very vocal about his hatred of Linux and all things Microsoft. All things not Apple are baaaaaaad and anyone pointing out flaws in Apple products are either overreacting or are on Microsoft's payroll. He is one of my biggest inspirations for my spoof posts against Apple. You take what they say about MS, replace "M$" with Apple, "winblowz" with "OS X", and you will be called an irrational fanboy within seconds. Little do they know they only prove my point. :)
            NonZealot
          • So... when do your spoofs end your logic begins? [nt]

            [nt]
            olePigeon
          • Nate.. Nate.. Nate...

            Sheesh... You're obviously dealing with a moron who can't tell the difference between the operating system, the media player and a browser.

            How dumping Quicktime will fix a bunch of flaws in Safari or other programs in OSX that have vulnerabilities is a mystery to me and I'll guess pretty much everyone else. Of course, it's probably a mystery to frgough as well. Maybe someone was messing with his head or maybe he just picked up something somewhere and like a parrot is repeating it. Just because a parrot learns to say "Hello" doesn't mean they understand what the word means. All the parrot knows is he gets attention when he makes that particular noise and maybe a snack.
            Wolfie2K3
    • Normal

      [i]normal security obligations on Mac OS X[/i]
      So getting carpet bombed is normal in OS X?
      yikes

      Yes, software developers have to be mindful of what platform they're writing for. Here's a big fat DUH for you.

      I also remember Apple introducing Safari for Win with these words:
      "Now you can enjoy worry-free web browsing on any computer. Apple engineers designed Safari to be secure from day one"

      hmm...
      tikigawd
  • RE: Apple hasn't learned from past security mistakes

    It looks like the automatic download and the attacks found with the fuzzing tool have been fixed - what is left besides the predictable location of cookies and cache?
    Yaalanhoo
    • What's left.

      [b]It looks like the automatic download and the attacks found with the fuzzing tool have been fixed - what is left besides the predictable location of cookies and cache?[/b]

      A crap browser, apparently. Got Firefox or Opera?
      harrisharris
  • Weren't these issues addressed..

    in the June 18th Safari update?

    [u]http://news.cnet.com/8301-10789_3-9973224-57.html?
    hhTest[/u]
    msalzberg