Safari, OmniWeb & BumperCar Webkit JavaScript Vulnerability
- From: "Redhart" <REdwardHart@ aol.com>
- Date: Thu, 31 May 2007 16:28:46 -0400
The proper name for this vulnerability is:
JavaScript Cross-Domain Browser Location Information Disclosure
Monday the SANS Institute reported a recently discovered
vulnerability in Mac OS X web browsers that use Apple's current
version of WebKit. SANS consider this vulnerability to be
'CRITICAL'. It involves Safari v2.0.4 (and probably earlier 2.0.x
versions), OmniWeb v5.5.4 (and probably earlier 5.5.x versions)
and BumperCar v2.1.1 (and probably earlier 2.0.x versions). No
other browsers appear to be involved. It is not clear whether
this vulnerability was inherited from Konquerer, which is the
basis for Apple's WebKit, or was introduced by Apple's own
additional code. There is as yet no available solution for this
problem other than to disable JavaScript in these browsers for
potentially insecure websites.
The announcement was made in the SANS Institute's @RISK eMail
newsletter, 'The Consensus Security Vulnerability Alert' Vol. 6
No. 22 dated May 28, 2007. Here is the body of their announcement:
07.22.30 CVE: Not Available
Platform: Mac Os
Title: Apple Safari Cross-Domain Browser Location Information Disclosure
Description: Apple Safari is exposed to an information disclosure
issue because it fails to properly enforce cross-domain JavaScript
restrictions. Safari version 2.0.4 is affected.
Ref: http://www.securityfocus.com/bid/24121
If you follow the URL SANS provide it takes you to a detailed
description of the vulnerability. If you click on the 'exploit'
tab you will connect to this page:
<http://www.securityfocus.com/bid/24121/exploit>
There you will find a URL that leads to a proof-of-concept page:
<http://www.businessinfo.co.uk/labs/googlesnoop/snoop.html>
Using this page you can test all your browsers. Note that you do
NOT have to use Safari to use this test page. When you click on
the link marked 'Run Snoop' it triggers a JavaScript that will
open a window to Google's main page. If your browser is
vulnerable to the cross-domain JavaScript disclosure problem then
a modal box will open in your browser stating the address you
just visited, that being Google. Apparently the data collected by
a snooping JavaScript enabled web page is visible to the authors
of the source website and can be used for nefarious purposes.
Of the Mac OS X web browsers I personally keep on my MacBook
running 10.4.9, the vulnerable web browsers are those I noted in
the first paragraph. NOTE that I personally am adding OmniWeb and
BumperCar to the list after using the proof-of-concept test page.
OmniWeb and BumperCar use Apple's most current version of WebKit.
All other current versions of web browsers that I tested were NOT
vulnerable. This includes Camino 1.0.4 and 1.1b1, Firefox
2.0.0.3, iCab v3.0.3, Flock v0.7.12, and ye olde Internet
Explorer v5.2.3. None of these browsers use Apple's WebKit. I
also tested the obscure surfDude browser and found it was not
vulnerable. This browser is based on Apple's WebKit, but
apparently not the current version that has caused the
vulnerability.
I did not test the following web browsers, none of which to my
knowledge use Apple's current version of WebKit:
Opera, Shiira, wKiosk Browser, SunriseBrowser, SeaMonkey (which
is Mozilla based), Desk Browse, Desktop Web Browser, Lynx,
KidsBrowser, Netscape X (aka Mozilla), RAFBrowse, Web Tool Kit,
HazIce (which uses an older unaffected version of WebKit),
TrailBlazer (ancient), WaMCom (ancient), wDeskBrowser (ancient),
wKids browser (ancient), or any ultra-obscure MOSX web browser I
may not be aware of.
CONCLUSIONS:
Any web browser using Apple's current version of WebKit is
vulnerable to this JavaScript cross-domain browser location
information disclosure vulnerability. This includes the most
recent versions of Safari, OmniWeb and BumperCar.
The best workaround, until a patch for WebKit is provided by
Apple, is to turn OFF JavaScript for all websites except those
that are trusted. Unfortunately, this is a painful process with
the Safari and BumperCar browsers where JavaScript is either
entirely on or entirely off. The best alternative is to use
OmniWeb, which includes the ability to create JavaScript settings
specific to every website you visit.
Meanwhile, I am not aware of any exploits of this vulnerability
in the wild. Nonetheless, better safe than spied upon,
compromised and sorry.
ADDENDUM:
Here is where you can read the original announcement of this
vulnerability by Gareth Heyes:
<http://www.thespanner.co.uk/2007/05/18/safari-needs-fixing/>
Gareth's behavior in this matter is in keeping with 'White Hat'
hackers, those who report discovered vulnerabilities to
application developers, providing them with time to make repairs
before disclosing the vulnerabilities to the public. Note how
this is in sharp contrast to the assh*les Kevin and PMS (or
whoever he is) who perpetrated the MOAB (Month of Apple Bugs)
this past January.
To quote Gareth:
I¹ve informed Apple of a serious Safari problem a few months ago and still
they haven¹t fixed it. I have decided to release a demo of how Safari will
allow cross domain javascript access. I think this is a major issue and I
am
releasing it here with the hope that Apple will get off their backside and
fix this problem as in the latest security update it wasn¹t addressed.
WHAT YOU CAN DO TO HELP:
Safari provides an option to "Report Bugs to Apple..." under the
Safari menu. If you use any of the affected browsers it is, IMHO,
in your best interest to PESTER Apple to fix this problem in
WebKit. OmniWeb also provides a method to 'Send Feedback...'
under their Help menu. BumperCar is made by FreeVerse. You can
contact them through their website's Support Form page:
<http://www.freeverse.com/support/form.php>
OmniGroup and FreeVerse are very conscientious companies and will
put their own PESTER PRESSURE upon Apple.
Share and Enjoy,
:-Derek
--
Fortune Magazine 11-29-05: What's your computer setup today?
Frederick Brooks: I happily use a Macintosh. It's not been
equalled for ease of use, and I want my computer to be a tool,
not a challenge.
<http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
[Frederick Brooks is the author of 'The Mythical Man Month'.
He spearheaded the movement to modernize computer software
engineering
.
- Prev by Date: Re: 86 Mac Plus Vs. 07 AMD DualCore. You Won't Believe Who Wins
- Next by Date: Re: Apple at 117+
- Previous by thread: Word Numbering
- Next by thread: Future of .Mac
- Index(es):
Relevant Pages
|
