Safari beta zero day
Friday, 17 August 2007
Apple annoy me or rather their security attitude annoys me. I told them about a vulnerability months ago, I persisted and told them again. I got a generic reply from them saying:-
——————————–
Hello,
Thank you for filing this issue via Apple’s bug reporting system. Apple takes every report of a potential security problem very seriously.
After examining your report we do not believe that this issue is a security exposure.
When filing a bug report, other Classification values are available to describe the type of issue: “Performance”, “Crash or Data Loss”, “Serious Bug”, “Other Bug/Has Workaround”, “Feature (New)”, and “Enhancement”. For the request you filed, we will change the classification from “Security” to the appropriate one to assist the engineering teams in handling it.
If you have any questions or concerns please feel free to let us know.
Thank you,
Apple Product Security team
[www.apple.com]
PGP Key ID: 0xB8469E6D
Fingerprint: FD20 40DB F7BC 37B9 6E78 4C3B C800 A2AB B846 9E6D
Then after posting it to sla.ckers I actually talked to someone at Apple, you can view the thread here:-
sla.ckers thread
I was annoyed, Apple clearly don’t understand security I knew when I discovered the flaw it was a major one because local zones shouldn’t be able to access external domains it’s bloody obvious. Then I get this guy from Apple telling me that it isn’t serious, well mate you have to remember attacks get better not worse and now the same flaw can access domains from anywhere. Serious? Damn right it’s serious! It’s a good job I’m a good guy because bad guys wouldn’t be telling anyone that’s for sure and when it came out of beta then boom! All your domains belong to the bad guys.
No. 1 — August 17th, 2007 at 9:55 am
Forgot to mention, it works on the latest beta 3.03 π
No. 2 — August 17th, 2007 at 10:08 am
Yah, that’s really serious.
Don’t listen to those fools Gareth, they probably thought it was a window spoofing while forgetting that Javascript has access to the page. π
Nice find, a classic! π
No. 3 — August 17th, 2007 at 10:12 am
Cheers Ronald π
Good job I found it and not the bad guys or maybe they already did. It just goes to show that it’s best to over estimate a vulnerability than underestimate it.
No. 4 — August 17th, 2007 at 10:50 am
I posted a snippet about it, it’s really cool stuff.
No. 5 — August 17th, 2007 at 10:53 am
Thanks Ronald, what’s interesting about this is the about:blank access, I thought about how I could access the local filesystem and it hit me, about:blank π
No. 6 — August 17th, 2007 at 12:19 pm
Yes today i’ve been toying with stuff like:
view-source:about:config
That view-source scheme must uncover some sensitive stuff somehow! π But, I have not found any cool stuff.
A lot to be researched though.
No. 7 — August 17th, 2007 at 12:38 pm
Ronald that’s cool! Where did you find that out? I never knew about the view-source protocol.
No. 8 — August 17th, 2007 at 1:04 pm
I’m sure there’s something to that:-
view-source:chrome://global/locale/config.dtd
But you would have to access the xml from the iframe in order to use it.
No. 9 — August 17th, 2007 at 1:36 pm
interesting… in Linux, Firefox (haven’t got Safari) try this:
view-source:file:///etc/passwd
or if you’re root,
view-source:file:///etc/shadow
(of course, no-one would ever browse as root π )
No. 10 — August 17th, 2007 at 1:55 pm
It doesn’t work in Safari, it seems to be a Firefox feature. Lol if you’re browsing as root then you deserve everything you get π
Yep I think there is scope for a problem with Firefox, I’d watch Ronald’s blog for updates.
No. 11 — August 17th, 2007 at 4:58 pm
No it’s Netscape only (strictly) I’m sure some freaks have ported it, but that’s not the point.
Well, it’s tough to read it remotely, but I figured it might divert some filters in Mozilla when I was playing with the chrome. I can access certain sensitive files in Firefox, like preferences but Now I need to figure out how to catch the stuff.
Still is, it works locally. And you don’t need any privileges to read stuff. So it could be used to read files where you would not have access.
No. 12 — August 17th, 2007 at 5:03 pm
BTW: MSIE did have it, but they disabled it in MSIE 7, which was a wise choice. And yes Mozilla is walking behind the facts again.
No. 13 — August 17th, 2007 at 6:53 pm
With software products that are shipped to the end-user, beta status means that there are problems, known or otherwise and the beta tester expects to run into problems, and expects to have to wait for a new beta release to correct them, even if they are super critical bugs.
It’s great that you filed a bug, but you can’t expect fixes in beta releases on your schedule.
When they go gold, it had better be fixed, of course. But until then, you need to set your expectations correctly–and it I think that you can blame Web2.0 perpetual beta services for your misconception about beta software products.
No. 14 — August 17th, 2007 at 6:57 pm
and perhaps I should clean my glasses, because I missed the part where apple said it wasn’t a bug…
Ignore my previous comment π
No. 15 — October 3rd, 2007 at 12:50 pm
@Wez
It’s not that they said it wasn’t a bug it’s that they said it wasn’t a security issue.
No. 16 — October 6th, 2007 at 7:01 pm
Firefox 2.0.0.7 is also vulnerable
No. 17 — October 6th, 2007 at 11:01 pm
Luke I’m not sure if Firefox 2.0.0.7 is vulnerable, the POC should display an alert box with the source and cookies from the Amazon domain, when I tired it in Firefox this did not work.