Safari Exploits Come Fast and Furious
|
It didn't take long after the beta of Apple's Safari for Windows became available before the vulnerabilities and exploits started hitting the fan. Attacking Safari appears to be one of those shooting fish in a barrel deals, and there hasn't even been time to fuzz yet. Ryan Naraine beat me to the general survey of vulnerabilities. The ones he describes seem to be memory corruption bugs that crash the browser and sometimes turn exploitable. But Thor Larholm quickly found the real deal: A protocol handler command injection vulnerability that allows the attacker to run executable programs on the PC. This is not a bug in the sense of the memory corruption bugs, but a design flaw. Just for jollies, his example utilized Firefox as part of the exploit, but the actual vulnerability is in Safari, in its failure to validate input. [Edited to fix typo - Thanks Candace.] |
Comments (3)
Hey, what's all the fuss about? How do you think Apple would make Safari so much faster unless they cut out some of the security mumbo-jumbo hampering the other browsers? Validating user input is hard, and burns processor cycles.
(tongue-in-cheek, in case you didn't catch it in my tone)
Posted by Paul McNett | June 12, 2007 2:50 PM
It's great that these hackers are doing such a thorough job beta testing pre-release of Safari for windows.
i wonder why apple didn't release safari sooner on windows, you only need to have so much security compared to IE, and the hackers do lots of testing for you. (hehe)
Posted by msbob | June 12, 2007 3:09 PM
"memory corruption bugs that crash toe browser"
Gee, I'm glad I'm not using a "toe browser".
Posted by Candace | June 12, 2007 4:55 PM