Grrr
Thursday 14th June, 2007 22:18 Comments: 5
I often post about Apple and I often post about The Register. Today I read an article about Apple on The Register. Specifically, about Safari. Apple have released their browser for Windows users. They claimed it was designed "to be secure from day one", but researchers quickly proved otherwise. Apple were quick to release an update, which The Register states plugged "three serious holes that could allow miscreants to commandeer a user's machine", and then added "Mac users are unaffected by the vulnerabilities and need not take action".
Without knowing specifically which ones were patched, I'm left with two conclusions. Either The Register is lying or Apple haven't patched the gaping vulnerability that affects both Windows and OSX (more likely). According to David Maylor: "we found a total of 6 bugs in an afternoon, 4 DoS and 2 remote code execution bugs. We have weaponized one of those to be reliable and its different that what Thor has found. I can't speak for anybody else but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well (same code base for a lot of stuff). The exploit is robust mostly thanks to the lack of any kind of advanced security features in OSX". The current production copy is Safari 2.0.4.
Without knowing specifically which ones were patched, I'm left with two conclusions. Either The Register is lying or Apple haven't patched the gaping vulnerability that affects both Windows and OSX (more likely). According to David Maylor: "we found a total of 6 bugs in an afternoon, 4 DoS and 2 remote code execution bugs. We have weaponized one of those to be reliable and its different that what Thor has found. I can't speak for anybody else but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well (same code base for a lot of stuff). The exploit is robust mostly thanks to the lack of any kind of advanced security features in OSX". The current production copy is Safari 2.0.4.
Yamahito - Friday 15th June, 2007 09:11 what exactly does he mean by 'advanced security features in OSX'
linky linky?
I'd imagine it's the sort of phrase a lot of hardcore mac enthusiasts would have an aneurism about ;)
linky linky?
I'd imagine it's the sort of phrase a lot of hardcore mac enthusiasts would have an aneurism about ;)
I quoted David Maylor's post from:
http://erratasec.blogspot.com/2007/06/niiiice.html
And at the end of the quote he added "I write about it here" with a link to:
http://erratasec.blogspot.com/2007/02/bill-gates-fights-back-against-evil.html
Things that are missing from OSX are features like ASLR, although this isn't perfect, as a loop in IE can potentially bruteforce all the possibilities.
There was a nice chart online; it's gone now, but you can see it on page 41 of this presentation: http://rjohnson.uninformed.org/toorcon8/rjohnson%20-%20Windows%20Vista%20Exploitation%20Countermeasures.ppt (NOTE: the presentation is from Microsoft)
RHEL and OpenBSD are pretty good and comparable to Vista, XP SP2 is somewhere in the middle, while Apple trails in last place.
http://erratasec.blogspot.com/2007/06/niiiice.html
And at the end of the quote he added "I write about it here" with a link to:
http://erratasec.blogspot.com/2007/02/bill-gates-fights-back-against-evil.html
Things that are missing from OSX are features like ASLR, although this isn't perfect, as a loop in IE can potentially bruteforce all the possibilities.
There was a nice chart online; it's gone now, but you can see it on page 41 of this presentation: http://rjohnson.uninformed.org/toorcon8/rjohnson%20-%20Windows%20Vista%20Exploitation%20Countermeasures.ppt (NOTE: the presentation is from Microsoft)
RHEL and OpenBSD are pretty good and comparable to Vista, XP SP2 is somewhere in the middle, while Apple trails in last place.
As far as I can tell, Maylor is the only bloke claiming to have found this bug across both OSs. He has a bad reputation for claiming to have found bugs which he then refuses to elucidate on. And a massive chip on his shoulder against apple and its fans.
I'm pretty sure that's a case of him being a twat rather than incompetent; chances are that exploits are exaggerated rather than fraudulent. Still, it's a sucky way to make a name for yourself.
Personally I believe that all these bugs should be made very public as soon as possible. One of the best things that could happen to apple (in terms of security, definitely not PR) is a massive virus or exploit to wake up the user base.
I'd also be interested to find out how many of the criticisms he's levelled against the OS will be addressed in the latest OSX release later this year.
I'm pretty sure that's a case of him being a twat rather than incompetent; chances are that exploits are exaggerated rather than fraudulent. Still, it's a sucky way to make a name for yourself.
Personally I believe that all these bugs should be made very public as soon as possible. One of the best things that could happen to apple (in terms of security, definitely not PR) is a massive virus or exploit to wake up the user base.
I'd also be interested to find out how many of the criticisms he's levelled against the OS will be addressed in the latest OSX release later this year.
I think the massive chip came from Apple's poor handling of the OS X wireless situation (admittedly I don't think he helped), but he did find vulnerabilities that were patched, so I'm inclined to trust him when he says he's discovered stuff.
Full disclosure is a tricky thing. I think that customers/users should know there are problems as soon as possible, but there can be problems, such as:
1) Accidentally revealing too much information, making it trivial for attackers to discover the flaw and use it in the wild
2) Many users have insufficient knowledge to help them decide on the right action to take, so your average user doesn't gain anything
3) The vulnerability is tricky to fix and requires a lot of testing, which could put users at risk for an extended period of time
Responsible disclosure means that you never reveal "too much" information about the vulnerability. Unfortunately, many researchers like the publicity and kudos, or feel they have to justify their findings with some sort of proof of concept exploit that's easy to replace with a malicious payload. If the information is too generic, there's no real point in telling anyone about it.
You can try and educate users, but typically they just want automatic updates. They don't want to read about workarounds, and they don't want them to happen too often or it feels like they're being nagged.
Knowing when to release details is tricky as unless you have a good relationship with the vendor and the vendor knows how long it'll take to create a patch, it can often be difficult to know when to release information. Many places wait (e.g. 30 days after notifying the vendor, or the day that a patch is released), and this tends to be the most responsible way to do things.
What is irresponsible is when the researcher doesn't tell the vendor for several months, such as the very recent SChannel heap corruption patch: http://www.securityfocus.com/archive/1/471203
AFAIK Leopard doesn't introduce any advanced security features, even though OpenBSD and Linux has had them for a while. OS X might have started with a decent kernel, but Apple seem to be adding (badly written) new code without introducing any of the useful security features seen in the BSD/Linux community. Microsoft, on the other hand, have started from a dodgy kernel and are slowly introducing well written applications and continually improving the core. Both approaches are flawed.
Full disclosure is a tricky thing. I think that customers/users should know there are problems as soon as possible, but there can be problems, such as:
1) Accidentally revealing too much information, making it trivial for attackers to discover the flaw and use it in the wild
2) Many users have insufficient knowledge to help them decide on the right action to take, so your average user doesn't gain anything
3) The vulnerability is tricky to fix and requires a lot of testing, which could put users at risk for an extended period of time
Responsible disclosure means that you never reveal "too much" information about the vulnerability. Unfortunately, many researchers like the publicity and kudos, or feel they have to justify their findings with some sort of proof of concept exploit that's easy to replace with a malicious payload. If the information is too generic, there's no real point in telling anyone about it.
You can try and educate users, but typically they just want automatic updates. They don't want to read about workarounds, and they don't want them to happen too often or it feels like they're being nagged.
Knowing when to release details is tricky as unless you have a good relationship with the vendor and the vendor knows how long it'll take to create a patch, it can often be difficult to know when to release information. Many places wait (e.g. 30 days after notifying the vendor, or the day that a patch is released), and this tends to be the most responsible way to do things.
What is irresponsible is when the researcher doesn't tell the vendor for several months, such as the very recent SChannel heap corruption patch: http://www.securityfocus.com/archive/1/471203
Discovery Date:
28th August 2006
Date reported to Microsoft:
19th March 2007
28th August 2006
Date reported to Microsoft:
19th March 2007
AFAIK Leopard doesn't introduce any advanced security features, even though OpenBSD and Linux has had them for a while. OS X might have started with a decent kernel, but Apple seem to be adding (badly written) new code without introducing any of the useful security features seen in the BSD/Linux community. Microsoft, on the other hand, have started from a dodgy kernel and are slowly introducing well written applications and continually improving the core. Both approaches are flawed.
The discussion about whether or not to fully disclose isn't a new one:
http://www.crypto.com/hobbs.html
:)
http://www.crypto.com/hobbs.html
:)