Analyst Uncovers 20 Security-related Flaws in Safari

| News

Charlie Miller, founder of Independent Security Evaluators, claims to have found 20 flaws in Safari and Preview that could potentially let a hacker gain control over someone’s Mac, and he plans to show off his findings at the CanSacWest security conference starting on March 24, according to Forbes. Mr. Miller is known for hacking Macs in the conference’s annual Pwn2Own competition.

The flaws use a specially crafted PDF document to exploit security holes in Preview’s PDF rendering engine, which is also used in the Safari Web browser. An attacker could include such a PDF in a Web site to crash Safari and potentially gain access to the user’s Mac.

Mr. Miller isn’t revealing the flaws or how they work just yet — not even to Apple. He’ll likely use what he’s discovered during this year’s Pwn2Own competition, and he’s also considering keeping his research from Apple to see how long it takes the company to find and patch the flaws.

“The moral of the story is that if Apple wants to keep its products secure, it needs to be doing what I’m doing,” he said. “I’m one guy working out of my house. I shouldn’t be able to find bugs like these, ever.”

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

daemon

I wonder if any of the 20 exploits also work on Adobe Reader…

Lee Dronick

“he?s also considering keeping his research from Apple to see how long it takes the company to find and patch the flaws.”

Is he keeping his research from anyone else?

jragosta

First, the security flaws appear to be trojans. How many times does it need to be said - NO platform is secure from trojans. The system asks the user if it should do something and the user says ‘yes’. How is the system supposed to protect stupid users from themselves.

Second, note the way this is worded: the crafted PDF document (assuming that you can trick the user into downloading it) can crash Safari and “potentially gain access”. Every few weeks, we hear about things that could ‘potentially’ gain access to the Mac, but they never do.  How about if he comes back if he finds a REAL security flaw?

daemon

How about if he comes back if he finds a REAL security flaw?

jragosta, he does gain access to the Mac. That’s why it’s a security flaw. Maybe you aren’t familiar with the Pwn2Own contest, but Charlie Miller won $10,000 in 2008, and he won $5,000 in 2009.

He also demonstrated how to gain control of mobile phones with an SMS vulnerability that affected the iPhone, Android based handsets, and Windows Mobile based handsets.

As a former NSA agent and Doctor of Mathematics, he’s pretty good at this stuff.

Bennyboy

?The moral of the story is that if Apple wants to keep its products secure, it needs to be doing what I?m doing,? he said. ?I?m one guy working out of my house. I shouldn?t be able to find bugs like these, ever.?

Yea, sure.  I’m sure all of the scum that make trojans, viruses and spyware aren’t working out of their houses.  They probably have a cushy office to go to.
He either has an extreme case of narcissism, or he really wants Apple to hire him.  Either way he’s a douche.

jragosta

I’m quite familiar with Pwn2Own. That’s the one where you need physical access to the computer to hack the Mac. Sorry, but NO system is secure if you give someone physical access. I’m just not going to lose sleep over it.

In the REAL world, there are still zero Mac OS X viruses. Zero. None. Zip. Nada. Zilch. Argue all you want about whether it’s obscurity or design. The fact is that a Mac user doesn’t have to worry about someone remotely gaining access to his computer unless he does something stupid.

daemon

I?m quite familiar with Pwn2Own. That?s the one where you need physical access to the computer to hack the Mac.

LoL! And that statement shows that you clearly don’t know jack about Pwn2Own!

Lee Dronick

a Mac user doesn?t have to worry about someone remotely gaining access to his computer unless he does something stupid.

Unfortunately there are people using Macs who might do something stupid and have an Admin account. But yeah, don’t give Miller physical access to the Mac or iPhone and see how he does.

fuzzer

Preview can open dozens of different kinds of documents, with and without color tables, and variations on internal formats.  There are probably thousands more bugs waiting to be found.  I agree with Charlie though, Apple should be fuzzing the heck out of their own software, but expecting their software to be completely bug free is ridiculous.  There are nearly infinite combinations of different image formats + color tables + various compression techniques.

I wrote a fuzzer a couple years ago and found many issues too.  One of the interesting things is that many of those fuzzed files crash Spotlight when it tries to index the file!  So you don’t even need to manually open a downloaded image, spotlight will open it for you.

MOSiX Man

Wow. ~~~Yawn~~~ If these are the kinds of ‘security holes’ for the Mac, that are deemed important enough to grab headlines (no offense to TMO), it makes me feel all the happier and more secure that I use Macs as well as recommending them to family and friends.

Dean Lewis

“he?s also considering keeping his research from Apple to see how long it takes the company to find and patch the flaws”

Yep, no agenda there. This guy doesn’t have a hate on for Apple at all. I mean, there’s no chance someone else may have found or will find the exploit, so why help Apple and its millions of users out when you can self-promote yourself?

The guy is fishy, and so is the PWN2OWN contest. They say all work needs to be done at the contest, and yet they allow people to use exploits they’ve already found and written code for. Then they relax the rules day by day until they might as well be simulating me allowing someone to walk in my door, turn on my system, and attach a hard drive to it to dupe my drive. Whatever truth these people might turn up is drowned out by the hype and the childish games. If he was truly one of the good guys, he should hand his work over to Apple immediately (or to Microsoft or to the Linux community depending on what he’s working on at the time). Waiting until PWN2OWN is irresponsible and simply makes his integrity questionable.

JulesLt

Actually, he doesn’t have any hate for Apple - in interviews he is quite clear that he uses OS X as his OS of choice - because security isn’t the only reason to use an OS (otherwise no one would use XP) - applications are the reason you use an OS.

He’s a genuine Machead - who spends a good period of time trying to crack it. Getting from the point he’s achieved to a real exploit isn’t that difficult (you daisy-chain known exploits together to get yourself execution at the right priveledge level) but he’s not going to give information on how to weaponise his hack.

Each year he gets a good bit of publicity, and you can bet that, in turn, generates paid work. I also hope he stays independent, because this kind of pressure is the only thing that will make Apple better - it’s got to be embarrassing when OS X falls before Windows.

Adobe Reader had 3 issues compared to Preview’s 20.

Apple are definitely at fault here - this isn’t difficult testing - with a bank of a few hundred machines, you could do it in hours. They’re being sloppy, precisely because there are no wild exploits - but one day that is going to bite us, and I expect better, considering the money we pay them. How many billion in the bank??

Do I feel any less safe? No.
Am I disappointed in what it says about Apple’s QA? Yes.

Dean Lewis

If it isn’t difficult, then someone else probably knows this, and Miller is being entirely irresponsible for holding on to his information and not immediately giving it to Apple now. Since there does not appear to be a wild outbreak of hacked Macs out here, I doubt it is that easy. Difficult or easy, Miller should hand over his info instead of sitting back and chortling to himself while watching “how long it takes [Apple] to find and patch the flaws.” That’s childish, narcissistic b.s.

John Martellaro

I don’t see any of this as hate for Apple.  Some kinds of specialized information have value.  The question is, after you’ve done the hard work, do you give it away or exploit the fact that the information has value. 

Some people like to give away personally gained knowledge. Other people place a value on their research. If market forces reinforce that value, they go with the flow.

What you perceive as ill-will on the part of Mr. Miller is merely his process of tapping into the value of his research.

John Martellaro

Oh, and, by the way, the community generally develops a consensus about what the real value of the research is. Sometime the researcher is on the mark in his estimation, and sometimes he’s deluded about the true value.

Dan Plesner Henriksen

Well let’s see if it’s as bad as hi says?
Any way, when is Apple gonna learn to make products that isn’t WinTel like. I mean full of errors!

Dan Plesner Henriksen
www.cph-visual.com

Log-in to comment