Numerous Bugs in Safari 3.0 for Windows Beta

Browser vulnerabilities are serious business. Windows administrators already have contend with Microsoft Internet Explorer (IE) bugs flying out of the woodwork nearly faster than Microsoft can fix them, Mozilla Firefox bugs appearing at a lesser rate, and of course bugs in the Opera browser. If that isn't enough to keep up with, we're about to see another browser and its inevitable security vulnerabilities added to the mix.

Apple recently released a beta version of Safari 3.0.1 for Windows (see the first URL below). Security researchers immediately began banging away at it looking for vulnerabilities, and they've already struck pay dirt. A torrent of newfound vulnerabilities is now raining down upon Safari.

http://www.apple.com/safari/download/

Writing in his company blog (at the URL below), Dave Maynor of Errata Security, said, "We found a total of six bugs in an afternoon, 4 [of which lead to] denial of service and two [that allow] remote code execution." Maynor added that while he did test the beta for Windows, the bugs also exist in a production version of Safari for OS X. Maynor also said that he has "weaponized" one of the bugs into a working exploit.

http://erratasec.blogspot.com/2007/06/niiiice.html

Maynor isn't alone in his discoveries. Aviv Raff also put Safari through a hammering. Raff said that "I wasn't surprised to get a nice crash a few minutes later." What Raff discovered was a memory corruption problem, which can often lead to remote exploits. See the URL below for details.

http://aviv.raffon.net/CommentView,guid,54A1DB79-0ECB-4F13-99AE-45BAB70C4256.aspx#a0ac5417-013d-43ae-9abc-7d265113892c

Two more researchers, "jsz" and "Trancer," discovered a Denial of Service (DoS) exploit, which you can read about at the first URL below. Tom Ferris said he found 10 vulnerabilities (at the second URL below) but didn't elaborate. He's holding them until the browser is released.

http://www.rec-sec.co.il/2007/06/12/apple-safari-for-windows-vulnerabilities

http://security-protocols.com/2007/06/12/safari-3-beta-released-on-windows/

Robert Swiecki discovered a spoofing vulnerability in the first beta release (see the first URL below) that has been fixed in the Safari 3.0.1 beta. And Thor Larholm discovered "a fully functional command execution vulnerability, triggered without user interaction simply by visiting a web site." See the second URL for information on that problem. I'm sure there are other Safari 3.0.1 vulnerabilities that I haven't learned about yet.

http://www.securityfocus.com/bid/24457/

http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/

Like Microsoft, which attempts to write applications that are "secure by design," Apple boasts that it "designed Safari to be secure from day one." But as the flurry of vulnerabilities shows, Apple's contention doesn't hold water.

Because Apple has reacted rather harshly (and sometimes with media spin) to a few previous incidents of reported security problems, some researchers, such as Maynor and Ferris, have little if any intention of notifying Apple up front about the details of their discoveries.

Although Apple has already plugged a few of the holes mentioned in this article, I'm still almost certain that we're going to see a lot of zero-day exploits against Safari. As is often said in the security industry, "You've been warned."