Safari beta zero day

Apple annoy me or rather their security attitude annoys me. I told them about a vulnerability months ago, I persisted and told them again. I got a generic reply from them saying:-

——————————–
Hello,

Thank you for filing this issue via Apple’s bug reporting system. Apple takes every report of a potential security problem very seriously.

After examining your report we do not believe that this issue is a security exposure.

When filing a bug report, other Classification values are available to describe the type of issue: “Performance”, “Crash or Data Loss”, “Serious Bug”, “Other Bug/Has Workaround”, “Feature (New)”, and “Enhancement”. For the request you filed, we will change the classification from “Security” to the appropriate one to assist the engineering teams in handling it.

If you have any questions or concerns please feel free to let us know.

Thank you,

Apple Product Security team
[www.apple.com]
PGP Key ID: 0xB8469E6D
Fingerprint: FD20 40DB F7BC 37B9 6E78 4C3B C800 A2AB B846 9E6D

Then after posting it to sla.ckers I actually talked to someone at Apple, you can view the thread here:-
sla.ckers thread

I was annoyed, Apple clearly don’t understand security I knew when I discovered the flaw it was a major one because local zones shouldn’t be able to access external domains it’s bloody obvious. Then I get this guy from Apple telling me that it isn’t serious, well mate you have to remember attacks get better not worse and now the same flaw can access domains from anywhere. Serious? Damn right it’s serious! It’s a good job I’m a good guy because bad guys wouldn’t be telling anyone that’s for sure and when it came out of beta then boom! All your domains belong to the bad guys.

Safari beta zero day

Screen shot on windows:-
Safari screenshot

Screen shot on OS X:-
OS X screen shot

17 Responses to “Safari beta zero day”

  1. Gareth Heyes writes:

    Forgot to mention, it works on the latest beta 3.03 :)

  2. Ronald writes:

    Yah, that’s really serious.

    Don’t listen to those fools Gareth, they probably thought it was a window spoofing while forgetting that Javascript has access to the page. :)

    Nice find, a classic! ;)

  3. Gareth Heyes writes:

    Cheers Ronald :)

    Good job I found it and not the bad guys or maybe they already did. It just goes to show that it’s best to over estimate a vulnerability than underestimate it.

  4. Ronald writes:

    I posted a snippet about it, it’s really cool stuff.

  5. Gareth Heyes writes:

    Thanks Ronald, what’s interesting about this is the about:blank access, I thought about how I could access the local filesystem and it hit me, about:blank :)

  6. Ronald writes:

    Yes today i’ve been toying with stuff like:

    view-source:about:config

    That view-source scheme must uncover some sensitive stuff somehow! :) But, I have not found any cool stuff.

    A lot to be researched though.

  7. Gareth Heyes writes:

    Ronald that’s cool! Where did you find that out? I never knew about the view-source protocol.

  8. Gareth Heyes writes:

    I’m sure there’s something to that:-
    view-source:chrome://global/locale/config.dtd

    But you would have to access the xml from the iframe in order to use it.

  9. Kae Verens writes:

    interesting… in Linux, Firefox (haven’t got Safari) try this:
    view-source:file:///etc/passwd

    or if you’re root,
    view-source:file:///etc/shadow
    (of course, no-one would ever browse as root ;-) )

  10. Gareth Heyes writes:

    It doesn’t work in Safari, it seems to be a Firefox feature. Lol if you’re browsing as root then you deserve everything you get :)

    Yep I think there is scope for a problem with Firefox, I’d watch Ronald’s blog for updates.

  11. Ronald writes:

    No it’s Netscape only (strictly) I’m sure some freaks have ported it, but that’s not the point.

    Well, it’s tough to read it remotely, but I figured it might divert some filters in Mozilla when I was playing with the chrome. I can access certain sensitive files in Firefox, like preferences but Now I need to figure out how to catch the stuff.

    Still is, it works locally. And you don’t need any privileges to read stuff. So it could be used to read files where you would not have access.

  12. Ronald writes:

    BTW: MSIE did have it, but they disabled it in MSIE 7, which was a wise choice. And yes Mozilla is walking behind the facts again.

  13. Wez Furlong writes:

    With software products that are shipped to the end-user, beta status means that there are problems, known or otherwise and the beta tester expects to run into problems, and expects to have to wait for a new beta release to correct them, even if they are super critical bugs.

    It’s great that you filed a bug, but you can’t expect fixes in beta releases on your schedule.

    When they go gold, it had better be fixed, of course. But until then, you need to set your expectations correctly–and it I think that you can blame Web2.0 perpetual beta services for your misconception about beta software products.

  14. Wez Furlong writes:

    and perhaps I should clean my glasses, because I missed the part where apple said it wasn’t a bug…
    Ignore my previous comment :)

  15. thorin writes:

    @Wez

    It’s not that they said it wasn’t a bug it’s that they said it wasn’t a security issue.

  16. luke writes:

    Firefox 2.0.0.7 is also vulnerable

  17. Gareth Heyes writes:

    Luke I’m not sure if Firefox 2.0.0.7 is vulnerable, the POC should display an alert box with the source and cookies from the Amazon domain, when I tired it in Firefox this did not work.