One more thing.. memory corruption in Apple Safari

["Rhys Kidd" <rhyskidd () gmail com>]

[ Note, I was going to hold off releasing this text for a few days... but as
I said below, I'm not the only one to find these bugs. Currently, trying to
establish how much cross-over Maynor, Aviv & myself have on these. ]

I've never really been interested in looking for security bugs in Apple
products. But recently I decided I'd buy a Macbook Pro when I return to Uni
after holidays next month. I love the hardware design, and they have some
great feature. I waited out until after Steve's impressive keynote at WWDC
yesterday to make sure I didn't kick myself for getting an end-of-revision
model, and low and behold a Safari 3.0 Beta was released.

Below are scant details on two memory corruption bugs inside Apple Safari,
found approximately 6 hours after Safari 3.0 Beta's release. They have both
already been reported to Apple in the manner they request (
product-security () apple com). I'm going to refrain from using the abused
buzzword '0day' to describe them. They aren't particularly difficult bugs to
find and there are plenty of other very intelligent, clever people who could
also find these bugs, and may have already. I won't release windbg output or
stack information publicly, but remote code execution appears possible.


Crash 1:
md5:  4a28b6fdc557b346db365c467dcf958f
sha1: 45d82277f1975feff0b9d385393420d0f9a256cf

Affected
   Safari 3.0   (522.11)   Mac OS X 10.4.9 (PPC)
   Safari 3.0   (522.11.3) Windows Vista
   Safari 2.0.4 (419.3)    Mac OS X 10.4.9 (Intel)
   Safari 2.0.4 (419.3)    Mac OS X 10.4.9 (PPC)


Crash 2:
md5:  9a99eb9c276fe40ebb721fbec4f6cdb9
sha1: 607cdcac55dc6e6c44ad5906b1095bf5340e206c

Affected
   Safari 3.0   (522.11.3) Windows Vista


I don't want this to become hyperbole fuel in a zealot blog flame war, but
I'm a realist & so I've got to expect that this will occur. Frankly, it is
easier to find new software vulnerabilities in Apple rather than Microsoft
products these days. The many talented people at Microsoft (MSRC, Michael
Howard, Dave Ladd, SDL team et al) have really improved the quality of the
code MS produces. Apple you are a long way behind Microsoft on security, and
I wish you'd stop releasing blatantly misleading adverts saying otherwise.
There are positives, take note Steve Jobs, if Apple consciously decided to
pursue a program of improving their ability to write secure code I believe
great strides could be made. Your customers would appreciate it.

If you are a Windows user and want to keep your computer secure, don't
install this piece of Apple software yet. If you're a Mac user, I'd suggest
browsing in Firefox, or perhaps telnet until patches are released by Apple.

- Rhys

PS. To Apple PR: I am not interested in publicly trading insults with you
tit-for-tat. Like you I am a reasonable person, who undertook this work for
free, I don't expect any reward from Apple other than a better browser;
which all the Internet community benefits from. Your Engineering department
has already confirmed these bugs really exist. I did not 'break' Safari, it
was already broken when you chose to release it to the public. I will not
release further technical details publicly until you have shipped patches,
or in the eventuality that you do not wish to fix these bugs.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave