In association with heise online

10 February 2011, 14:35

Security vulnerability demonstrated in Safari

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Safari Logo At the IT-Defense 2011 security conference, organised by services company cirosec, Mac security experts Dino Dai Zovi and Charlie Miller have demonstrated a further zero day exploit for the 64 bit version of Safari 5. Miller's demonstration involved taking control of the Safari process on a fully patched MacBook by calling a simple URL. The two specialists are not keen to reveal too many details, as they may be able to profit by using the exploit at the Pwn2Own contest in early March.

The demonstration once again shows how vulnerable Apple's operating system and applications are, despite security mechanisms such as address space layout randomisation (ASLR) and data execution prevention (DEP). Until now, Mac users may have been able to draw some sense of security from the lack of interest shown by malware producers, but it remains the case that Snow Leopard is not able to withstand targeted attacks. Security experts consequently consider OS X to be significantly less secure than Windows 7.

The two US researchers go one step further. They describe some of the gains in security in Snow Leopard as happy accidents. Apple's implementation of ASLR, for example, uses a number of fixed entry addresses which leave many entry points wide open. Although DEP is sensibly implemented for 64 bit processors, JIT spraying (see white paperPDF) is able to bypass ASLR and DEP. Because Safari is based on WebKit, this attack is, however, thwarted by the fact that WebKit itself randomises the memory addresses of the JIT code produced – it appears that the WebKit project did not trust Apple.

Similarly, changes in memory management in OS X 10.6 – malloc assigns memory per CPU core in a zone known as a magazine – offer entirely unplanned security benefits. Miller classifies the changes as "performance enhancements".

Jeremiah Grossman's presentation of the 10 most invidious web hacking techniques of 2010 (as judged by an expert committee) contains a bitter pill for Apple users. As well as the famous evercookie, users face the threat of a vulnerability in Safari's AutoComplete feature which is exploitable using, of all things, cross-site scripting. By stubbornly probing, injected JavaScript is able to winkle out data previously entered into form fields in just a few seconds. Since this also applies to the password manager, users are well advised to use an external tool such as 1Password. (Tobias Engler)


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit