Apple annoy me or rather their security attitude annoys me. I told them about a vulnerability months ago, I persisted and told them again. I got a generic reply from them saying:-
——————————–
Hello,
Thank you for filing this issue via Apple’s bug reporting system. Apple takes every report of a potential security problem very seriously.
After examining your report we do not believe that this issue is a security exposure.
When filing a bug report, other Classification values are available to describe the type of issue: “Performance”, “Crash or Data Loss”, “Serious Bug”, “Other Bug/Has Workaround”, “Feature (New)”, and “Enhancement”. For the request you filed, we will change the classification from “Security” to the appropriate one to assist the engineering teams in handling it.
If you have any questions or concerns please feel free to let us know.
Thank you,
Apple Product Security team
[www.apple.com]
PGP Key ID: 0xB8469E6D
Fingerprint: FD20 40DB F7BC 37B9 6E78 4C3B C800 A2AB B846 9E6D
Then after posting it to sla.ckers I actually talked to someone at Apple, you can view the thread here:-
sla.ckers thread
I was annoyed, Apple clearly don’t understand security I knew when I discovered the flaw it was a major one because local zones shouldn’t be able to access external domains it’s bloody obvious. Then I get this guy from Apple telling me that it isn’t serious, well mate you have to remember attacks get better not worse and now the same flaw can access domains from anywhere. Serious? Damn right it’s serious! It’s a good job I’m a good guy because bad guys wouldn’t be telling anyone that’s for sure and when it came out of beta then boom! All your domains belong to the bad guys.
Screen shot on windows:-
Screen shot on OS X:-
Comments 17
Forgot to mention, it works on the latest beta 3.03
Posted 17 Aug 2007 at 9:55 am ¶Yah, that’s really serious.
Don’t listen to those fools Gareth, they probably thought it was a window spoofing while forgetting that Javascript has access to the page.
Nice find, a classic!
Posted 17 Aug 2007 at 10:08 am ¶Cheers Ronald
Good job I found it and not the bad guys or maybe they already did. It just goes to show that it’s best to over estimate a vulnerability than underestimate it.
Posted 17 Aug 2007 at 10:12 am ¶I posted a snippet about it, it’s really cool stuff.
Posted 17 Aug 2007 at 10:50 am ¶Thanks Ronald, what’s interesting about this is the about:blank access, I thought about how I could access the local filesystem and it hit me, about:blank
Posted 17 Aug 2007 at 10:53 am ¶Yes today i’ve been toying with stuff like:
view-source:about:config
That view-source scheme must uncover some sensitive stuff somehow!
But, I have not found any cool stuff.
A lot to be researched though.
Posted 17 Aug 2007 at 12:19 pm ¶Ronald that’s cool! Where did you find that out? I never knew about the view-source protocol.
Posted 17 Aug 2007 at 12:38 pm ¶I’m sure there’s something to that:-
view-source:chrome://global/locale/config.dtd
But you would have to access the xml from the iframe in order to use it.
Posted 17 Aug 2007 at 1:04 pm ¶interesting… in Linux, Firefox (haven’t got Safari) try this:
view-source:file:///etc/passwd
or if you’re root,
)
Posted 17 Aug 2007 at 1:36 pm ¶view-source:file:///etc/shadow
(of course, no-one would ever browse as root
It doesn’t work in Safari, it seems to be a Firefox feature. Lol if you’re browsing as root then you deserve everything you get
Yep I think there is scope for a problem with Firefox, I’d watch Ronald’s blog for updates.
Posted 17 Aug 2007 at 1:55 pm ¶No it’s Netscape only (strictly) I’m sure some freaks have ported it, but that’s not the point.
Well, it’s tough to read it remotely, but I figured it might divert some filters in Mozilla when I was playing with the chrome. I can access certain sensitive files in Firefox, like preferences but Now I need to figure out how to catch the stuff.
Still is, it works locally. And you don’t need any privileges to read stuff. So it could be used to read files where you would not have access.
Posted 17 Aug 2007 at 4:58 pm ¶BTW: MSIE did have it, but they disabled it in MSIE 7, which was a wise choice. And yes Mozilla is walking behind the facts again.
Posted 17 Aug 2007 at 5:03 pm ¶With software products that are shipped to the end-user, beta status means that there are problems, known or otherwise and the beta tester expects to run into problems, and expects to have to wait for a new beta release to correct them, even if they are super critical bugs.
It’s great that you filed a bug, but you can’t expect fixes in beta releases on your schedule.
When they go gold, it had better be fixed, of course. But until then, you need to set your expectations correctly–and it I think that you can blame Web2.0 perpetual beta services for your misconception about beta software products.
Posted 17 Aug 2007 at 6:53 pm ¶and perhaps I should clean my glasses, because I missed the part where apple said it wasn’t a bug…
Posted 17 Aug 2007 at 6:57 pm ¶Ignore my previous comment
@Wez
It’s not that they said it wasn’t a bug it’s that they said it wasn’t a security issue.
Posted 03 Oct 2007 at 12:50 pm ¶Firefox 2.0.0.7 is also vulnerable
Posted 06 Oct 2007 at 7:01 pm ¶Luke I’m not sure if Firefox 2.0.0.7 is vulnerable, the POC should display an alert box with the source and cookies from the Amazon domain, when I tired it in Firefox this did not work.
Posted 06 Oct 2007 at 11:01 pm ¶Post a Comment