[ISN] Apple Goes on Safari With Hostile Security Researchers

From: InfoSec News (alerts@private)
Date: Thu Jun 14 2007 - 23:25:13 PDT


http://www.wired.com/gadgets/mac/news/2007/06/researchersmeetsafari

By Ryan Singel
Wired.com
06.14.07

Security researchers have long speculated that Apple has benefited from 
security by obscurity, escaping attention from malicious hackers because 
Windows-based computers dominate in homes and offices. But Apple's new 
Safari for Windows puts it right in hackers' crosshairs. The browser 
gives hackers another way to attack Windows and security researchers 
will now likely spend hours hunting down holes in the code.

But Apple's culture of secrecy and slick marketing has put it at odds 
with a community that values openness and honesty -- a lot of computer 
security experts aren’t very fond of the computer maker.

Indeed some in the security community think Apple's stance towards 
security is as bad as Microsoft's was in the days when it was called the 
"Evil Empire," prior to Bill Gates's declaration in 2002 that security 
was the company's top priority.

When asked over the phone if Apple treated security researchers well, 
Black Hat founder Jeff Moss relayed the question to researchers at the 
Computer Security Institute conference. Howls of derisive laughter came 
pouring through his cell phone.

"They are vulnerable like anyone else, but they are still controlled by 
marketing campaigns," said Moss. "Their approach will change -- but when 
will it change?"

Apple has a mixed reputation in the security community. It's been 
criticized for how it handles reports of vulnerabilities, how it reports 
the severity of bugs in automatic security updates and how long it takes 
to patch flaws.

In addition, Moss said Apple has a reputation of not crediting 
researchers who find bugs. Security researchers generally adhere to a 
policy of reporting bugs quietly to software vendors ahead of time in 
return for public credit when a fix is shipped. However, Apple has been 
accused of fixing bugs silently, or fixing a security bug and 
reclassifying it as a "usability bug" rather than crediting researchers.

By releasing a beta version of Safari to the public, Apple expects to 
get feedback on bugs and vulnerabilities, but some researchers are loath 
to provide it unless they get proper credit.

Security researcher David Maynor said he found six Safari bugs in one 
day using commonly available tools that Apple engineers should have used 
themselves.

"Apple is using the research community as their (quality assurance) 
department, which makes me not want to report bugs," he said. "If they 
aren't going to run these tools, why should I run them and report them?"

While Maynor says he follows this policy for companies like Microsoft, 
he refuses to report bugs to Apple following a vitriolic contretemps 
last summer involving a wireless-driver bug. Maynor contends Apple 
attacked his credibility, while Maynor’s detractors say he overstated 
the severity of the exploit.

One of the bugs is a remote exploit that works on the beta browser and 
the current production version of Safari for Mac OS X, according to 
Maynor.

Maynor says he plans to hold onto the exploit until he can buy an iPhone 
and break into it.

Maynor is not alone in probing the new browser. Just one day after Apple 
released the Safari beta, security researchers published detailed 
accounts of critical vulnerabilities in the browser, ranging from 
attacks that simply crashed the browser, to one that allowed a website 
to run commands on the computer of a visitor running Safari.

But animus towards Apple is not universal in the security community.

Dino Dai Zovi, a security researcher who recently won $10,000 by taking 
over a Mac remotely, says he's reported nine vulnerabilities to Apple 
and found them to be as responsive as most in the industry.

Apple tends to be slow issuing patches, according to Dai Zovi, but can 
be quick when there's a lot of public scrutiny, such as with his 
QuickTime/Java exploit, which it fixed in a "groundbreaking" eight days.

But Dai Zovi said Apple may be about to enter much hotter water, thanks 
to its new Windows browser, the hot new iPhone and increased Mac market 
share.

"They are going to have to deal with a lot more vulnerability reports," 
Dai Zovi said. "Just like Microsoft, once the public perception of 
security impacts sales, Apple will most likely step it up."

David Goldsmith, the president Matasano Security, echoed Dai Zovi's take 
on Apple's handling of reports, saying he's never had a problem with 
Apple not crediting him for a bug, but that in the past Apple had a 
habit of underplaying the severity of the bug.

Goldsmith said Apple might have to fix bugs faster because more people 
will be watching what the company does.

"Apple has a reputation of being more secure and one of the theories is 
that it is because less people are looking at it (for vulnerabilities)," 
Goldsmith said. "(The Windows Safari browser) may prove to be a way of 
validating that claim. It is safe to say they are going to change the 
way they react to these communications just because they will have more 
exposure to them."

Apple was not immediately available for detailed comment, but a 
spokesperson pointed out that the Safari browser relies on an 
open-source browser engine that has been well tested and used by 
companies like Nokia.



_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu Jun 14 2007 - 23:37:44 PDT