Is Safari Safe?
06.13.07 - 01:02pm
Hackers are finding numerous security holes in Apple’s new web browser Safari punching holes into Apple’s statement “Secure from Day One”, prompting hacker Avin Raff to say “I guess we can now call it ‘Day Zero’.”
In total hackers found over 18 bugs in the interface and are still counting.
David Maynor of Errata Security, was the first to find a flaw just two hours after Safari’s release and found six by the end of
the day. Maynor said four could be exploited to crash the browser and/or PC in a denial-of-service attack and the other two were remote execution vulnerabilities.
Aviv Raff, an Israeli security researcher posted a bug shortly after Maynor. Raff said, “I found it using a fuzzer tool, Hamachi, that was developed by HD Moore and I. This is a memory corruption vulnerability, which is potentially exploitable for remote code execution.
Thor Larholm, a Danish researcher provided the most damaging disclosure by building a code that could hijack a PC. Larholm said he built the exploit in just two hours after plucking the vulnerability from the browser.
Tom Ferris, another researcher said that his vulnerability testing “fuzzer” software turned up 10 flaws in just five minutes.
Researchers are blaming Apples lack of security features for the problems. Maynor stated, “The exploit is robust mostly thanks to the lack of any kind of advanced security features in OS X.â€
Larholm wrote in his blog, “Given that Apple has had a lousy track record with security on [Mac] OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser,”
Raff said, “My guess is that it’s because of Apple’s issues with security researchers and the false claims that their products are far more secure than others.”
Apple officials have not yet responded to requests for comments on the security of the browser.
Speak Your Peace