http://www.wired.com/gadgets/mac/news/2007/06/researchersmeetsafari By Ryan Singel Wired.com 06.14.07 Security researchers have long speculated that Apple has benefited from security by obscurity, escaping attention from malicious hackers because Windows-based computers dominate in homes and offices. But Apple's new Safari for Windows puts it right in hackers' crosshairs. The browser gives hackers another way to attack Windows and security researchers will now likely spend hours hunting down holes in the code. But Apple's culture of secrecy and slick marketing has put it at odds with a community that values openness and honesty -- a lot of computer security experts aren’t very fond of the computer maker. Indeed some in the security community think Apple's stance towards security is as bad as Microsoft's was in the days when it was called the "Evil Empire," prior to Bill Gates's declaration in 2002 that security was the company's top priority. When asked over the phone if Apple treated security researchers well, Black Hat founder Jeff Moss relayed the question to researchers at the Computer Security Institute conference. Howls of derisive laughter came pouring through his cell phone. "They are vulnerable like anyone else, but they are still controlled by marketing campaigns," said Moss. "Their approach will change -- but when will it change?" Apple has a mixed reputation in the security community. It's been criticized for how it handles reports of vulnerabilities, how it reports the severity of bugs in automatic security updates and how long it takes to patch flaws. In addition, Moss said Apple has a reputation of not crediting researchers who find bugs. Security researchers generally adhere to a policy of reporting bugs quietly to software vendors ahead of time in return for public credit when a fix is shipped. However, Apple has been accused of fixing bugs silently, or fixing a security bug and reclassifying it as a "usability bug" rather than crediting researchers. By releasing a beta version of Safari to the public, Apple expects to get feedback on bugs and vulnerabilities, but some researchers are loath to provide it unless they get proper credit. Security researcher David Maynor said he found six Safari bugs in one day using commonly available tools that Apple engineers should have used themselves. "Apple is using the research community as their (quality assurance) department, which makes me not want to report bugs," he said. "If they aren't going to run these tools, why should I run them and report them?" While Maynor says he follows this policy for companies like Microsoft, he refuses to report bugs to Apple following a vitriolic contretemps last summer involving a wireless-driver bug. Maynor contends Apple attacked his credibility, while Maynor’s detractors say he overstated the severity of the exploit. One of the bugs is a remote exploit that works on the beta browser and the current production version of Safari for Mac OS X, according to Maynor. Maynor says he plans to hold onto the exploit until he can buy an iPhone and break into it. Maynor is not alone in probing the new browser. Just one day after Apple released the Safari beta, security researchers published detailed accounts of critical vulnerabilities in the browser, ranging from attacks that simply crashed the browser, to one that allowed a website to run commands on the computer of a visitor running Safari. But animus towards Apple is not universal in the security community. Dino Dai Zovi, a security researcher who recently won $10,000 by taking over a Mac remotely, says he's reported nine vulnerabilities to Apple and found them to be as responsive as most in the industry. Apple tends to be slow issuing patches, according to Dai Zovi, but can be quick when there's a lot of public scrutiny, such as with his QuickTime/Java exploit, which it fixed in a "groundbreaking" eight days. But Dai Zovi said Apple may be about to enter much hotter water, thanks to its new Windows browser, the hot new iPhone and increased Mac market share. "They are going to have to deal with a lot more vulnerability reports," Dai Zovi said. "Just like Microsoft, once the public perception of security impacts sales, Apple will most likely step it up." David Goldsmith, the president Matasano Security, echoed Dai Zovi's take on Apple's handling of reports, saying he's never had a problem with Apple not crediting him for a bug, but that in the past Apple had a habit of underplaying the severity of the bug. Goldsmith said Apple might have to fix bugs faster because more people will be watching what the company does. "Apple has a reputation of being more secure and one of the theories is that it is because less people are looking at it (for vulnerabilities)," Goldsmith said. "(The Windows Safari browser) may prove to be a way of validating that claim. It is safe to say they are going to change the way they react to these communications just because they will have more exposure to them." Apple was not immediately available for detailed comment, but a spokesperson pointed out that the Safari browser relies on an open-source browser engine that has been well tested and used by companies like Nokia. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jun 14 2007 - 23:37:44 PDT