In association with heise online

26 June 2007, 13:11

More vulnerabilities in Apple's Safari for Windows

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security specialists worldwide are skeptical about Apple's attempts to port its Safari browser to Windows. In the latest version, 3.0.2, two flaws have been discovered that affect stability and security. First, Safari supports Internationalized Domain Names (IDN), allowing country-specific Unicode characters to be used in domain name strings. Apparently, links can be crafted so that the supposed URL the user sees in their address bar differs from the real one. Phishers will be especially interested in this vulnerability.

A demo that demonstrates the problem has been posted at the Full Disclosure mailing list. A very long crafted URL contains an apparently legitimate but dummy URL followed by a long string of special Unicode characters which the browser's address bar is likely to display as white spaces. The real domain name to which the browser is directed follows this blank string. As the complete URL is longer than the address box of the browser, only the beginning of the address is displayed, the real domain name disappearing to the right. This flaw apparently does not affect all systems, though. In a test conducted by heise Security on Windows XP SP2, the special characters were displayed properly, making it unlikely that the user would be misled. It seems that the demo works as described if the right fonts are installed on your system. The author of the security advisory includes an image showing what a successful attack looks like. Firefox and Mozilla have both already had problems with IDN, but this particular failing is not entirely unexpected. Indeed some of the responses to the June 2005 Nominet consultation on IDNA suggested that IDN URLs should be restricted to a single country code, which recommendation, if adopted, might well have prevented this problem.

The second flaw is a buffer overflow that occurs when a bookmark is created of a link more than 1024 characters long. When the bookmark is added, the browser crashes. It is not yet clear whether this vulnerability can be exploited to inject and execute malicious code. It was possible to inject malicious code into the first version of Safari by means of specially crafted URLs.

While the Windows version of Safari is only a beta version not intended for productive use, in its current state it is best thought of as a preview to allow users to become familiar with the functions. Apple would be well advised to have a team review the code to find and remedy additional flaws; at the moment, it seems that the company has left quality assurance for the browser up to the community.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit