Apple Inc. launched a beta version of its Safari browser for Windows Monday, and within hours vulnerability researchers were picking it apart for security holes. It didn't take them long to find something.
Safari, long a part
Denmark-based researcher Thor Larholm was among those to report a problem with the new version of Safari Monday. He claimed to have developed a fully-functional command execution vulnerability within two hours of installing Safari on his computer, triggered simply by visiting a Web site.
"Given that Apple has had a lousy track record with security on [Mac] OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser," Larholm wrote in his blog.
He noted that well-known researchers David Maynor and Aviv Raff are also "pounding" Safari for flaws and are easily finding problems. Maynor, co-founder and chief technology officer of Atlanta-based Errata Security, wrote in the Errata Security blog that his team found a memory corruption flaw "in no time" using publicly-available tools.
"I'd like to note that we found a total of six bugs in an afternoon, four [denial-of-service] and two remote code execution bugs," Maynor wrote. "We have weaponized one of those to be reliable ... The bugs found in the beta copy of Safari on Windows work on the production copy on [Mac] OS X as well. The exploit is robust mostly thanks to the lack of any kind of advanced security features in OS X."
In an email alert to customers of its DeepSight threat management service, Cupertino, Calif.-based Symantec Corp. warned that attackers could use at least one of the flaws to pass arbitrary command line arguments to any application that can be called through a protocol handler.
Of Larholm's discovery, Symantec said, "This specific vulnerability relies on the use of IFRAME elements and is highly extensible in destructive capabilities if used in conjunction with Mozilla XPCOM components."
Specifically, Symantec said, "Safari does not properly sanitize input passed through IFRAME elements, allowing a remote attacker to pass arbitrary command line arguments to affected systems through the use of URL protocol handlers available on the Windows platform."
As a precaution, Symantec recommended users avoid links provided by unknown or untrusted sources; be wary of untrusted Web sites and reject communications that originate from unknown or untrusted sources. Users also should not open or accept unsolicited HTML email, as it may provide an attack vector for numerous vulnerabilities, Symantec said.