Dailydave mailing list archives
One more thing.. memory corruption in Apple Safari
From: "Rhys Kidd" <rhyskidd () gmail com>
Date: Wed, 13 Jun 2007 00:27:04 +0800
[ Note, I was going to hold off releasing this text for a few days... but as I said below, I'm not the only one to find these bugs. Currently, trying to establish how much cross-over Maynor, Aviv & myself have on these. ] I've never really been interested in looking for security bugs in Apple products. But recently I decided I'd buy a Macbook Pro when I return to Uni after holidays next month. I love the hardware design, and they have some great feature. I waited out until after Steve's impressive keynote at WWDC yesterday to make sure I didn't kick myself for getting an end-of-revision model, and low and behold a Safari 3.0 Beta was released. Below are scant details on two memory corruption bugs inside Apple Safari, found approximately 6 hours after Safari 3.0 Beta's release. They have both already been reported to Apple in the manner they request ( product-security () apple com). I'm going to refrain from using the abused buzzword '0day' to describe them. They aren't particularly difficult bugs to find and there are plenty of other very intelligent, clever people who could also find these bugs, and may have already. I won't release windbg output or stack information publicly, but remote code execution appears possible. Crash 1: md5: 4a28b6fdc557b346db365c467dcf958f sha1: 45d82277f1975feff0b9d385393420d0f9a256cf Affected Safari 3.0 (522.11) Mac OS X 10.4.9 (PPC) Safari 3.0 (522.11.3) Windows Vista Safari 2.0.4 (419.3) Mac OS X 10.4.9 (Intel) Safari 2.0.4 (419.3) Mac OS X 10.4.9 (PPC) Crash 2: md5: 9a99eb9c276fe40ebb721fbec4f6cdb9 sha1: 607cdcac55dc6e6c44ad5906b1095bf5340e206c Affected Safari 3.0 (522.11.3) Windows Vista I don't want this to become hyperbole fuel in a zealot blog flame war, but I'm a realist & so I've got to expect that this will occur. Frankly, it is easier to find new software vulnerabilities in Apple rather than Microsoft products these days. The many talented people at Microsoft (MSRC, Michael Howard, Dave Ladd, SDL team et al) have really improved the quality of the code MS produces. Apple you are a long way behind Microsoft on security, and I wish you'd stop releasing blatantly misleading adverts saying otherwise. There are positives, take note Steve Jobs, if Apple consciously decided to pursue a program of improving their ability to write secure code I believe great strides could be made. Your customers would appreciate it. If you are a Windows user and want to keep your computer secure, don't install this piece of Apple software yet. If you're a Mac user, I'd suggest browsing in Firefox, or perhaps telnet until patches are released by Apple. - Rhys PS. To Apple PR: I am not interested in publicly trading insults with you tit-for-tat. Like you I am a reasonable person, who undertook this work for free, I don't expect any reward from Apple other than a better browser; which all the Internet community benefits from. Your Engineering department has already confirmed these bugs really exist. I did not 'break' Safari, it was already broken when you chose to release it to the public. I will not release further technical details publicly until you have shipped patches, or in the eventuality that you do not wish to fix these bugs.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- One more thing.. memory corruption in Apple Safari Rhys Kidd (Jun 15)