Thursday, June 19, 2008

BK on Safari, hunting Firefox...

Apple released a patch for their “Carpet Bomb” issue today.  I’m glad to see that Apple took steps to protect their users.  Kudos to the Apple Security team!   

 

There was a lot of discussion about how this behavior could be used in a “blended” attack with IE, but Safari’s behavior affected more than just IE. In fact, I’ve discovered a way to use the Safari’s carpet bomb in conjunction with Firefox to steal user files from the local file system.  Even though Apple has patched the carpet bomb, I’m not going to go into details as the issue is not patched and the behavior may be replicated via other means (it’s the kinder, gentler BK).  I’m also happy to say that some of the improved security features in Firefox 3 help lower (but do not eliminate) the impact of the issue (Firefox 2 users could still be at risk of arbitrary file pwnage). Mozilla is working on the issue and they’ve got a responsive team, so I’m sure we’ll see a fix soon. 

 

  • UNREALTED NOTE TO MOZILLA:  Firefox 3 shouldn’t FORCE itself to be my default browser after I install it (YES, I unchecked the default browser checkbox during install)


 

Now, these types of vulnerabilities are a perfect example of how the all the software and systems we use are part of a giant ecosystem.  Whether we like it or not, the various parts of the ecosystem are intertwined with each other, depending on each other.  When one piece of the ecosystem gets out of line, it can have a dramatic effect on the ecosystem as a whole.  A small vulnerability or even an “annoying” behavior from one piece of software could alter the behavior of 2nd piece of software, which a 3rd piece of software is depending on for a security decision (The recent pwn2own browser -> java -> flash pwnage is a great example of this).  As the ecosystem grows via plugins, functionality, and new software, so does the attack surface.  Eventually, the interactions between systems and software become a gigantic mesh and the attack surface becomes almost infinite.

 

Now, a lot of people have criticized Apple for their inability to see the carpet bombing behavior as a security issue.  If Apple looked at their product (Safari) in isolation, maybe it wasn’t a high risk security issue to them and it was really more of an annoyance… its only when you look at the ecosystem as a whole do we start to see the security implications of this behavior.  Should we have expected Apple to threat model the risks of this behavior against their own products AND other third party products as well?  Can we reasonably expect them (or anyone) to have the requisite knowledge to truly understand how certain behavior will affect the ecosystem? 

 

This brings us to a pressing question.  In the "real world", users install products from multiple vendors.  Whose responsibility is it to examine the interaction between all these products?
Posted by at
Labels: , , , , ,

18 comments:

  1. EvertJune 20, 2008 at 2:10 AM

    IE had an issue a while back, not escaping "firefoxurl://" type urls and the likes. Even though the bug was in IE, the mozilla team was even quicker in solving it on their side..

    So back to the safari carpet bombing behaviour, even though they are right to saying, its a windows bug, not ours; they should still have a proactive approach for protecting users of their application.

    ReplyDelete
  2. Zero Day mobile editionJune 20, 2008 at 7:16 PM

    [...] Security research Billy Rios posted an article today about the Apple Safari “Carpet Bomb” attack, discussing a new issue that, despite the patch which prevented a “blended” remote command execution attack when Safari was used in conjunction with IE on a Windows system, keeps the “Carpet Bomb” attack alive and well. [...]

    ReplyDelete
  3. Nate McFetersJune 20, 2008 at 7:33 PM

    Very nice! These blended attacks are pretty serious.

    -Nate

    ReplyDelete
  4. NurBoJune 21, 2008 at 8:55 AM

    FF3 I really don't like it the look and everything makes me sick plus half of the good add on's don't work any more. To me the only thing good about fire fox three is its more secure more shiny buttons and thats pretty much it.FF2 FTW haha

    ReplyDelete
  5. Safari todavía vulnerable al “Carpet Bomb” |June 21, 2008 at 9:39 AM

    [...] ingeniero de seguridad Billy Rios (trabaja para Microsoft) anuncia hoy que a pesar del reciente parche que Apple dispuso en Safari. el navegador es todavía vulnerable [...]

    ReplyDelete
  6. Billy DownerJune 21, 2008 at 10:08 AM

    So are you saying that patched installations of Safari still pose a risk? I'm left confused by your post. You are being quoted in a couple of places confirming that Safari 3.1.2 is the cause of this new FF threat...

    ReplyDelete
  7. El BoJune 21, 2008 at 11:20 AM

    Can you clarify this: Is the remaining bug Apple's to fix, or Mozilla's? A lot of the blogs referencing this are saying that it's Apple's.

    ReplyDelete
  8. XakaduJune 21, 2008 at 12:08 PM

    You'd have to be quite retarded to think firefox2 could be a decent choice over 3, really even firefox1.5 was much better than 2, regarding addons, most of the useful ones already work in firefox 3, and the rest will migreate eventually or someone will make a firefox3 equivalent anyway.

    ReplyDelete
  9. James BrownJune 21, 2008 at 12:44 PM

    Several articles that link here state there is still a vulnerability in Safari that needs to be addressed, but that's not the impression that I got from your post. To clarify, is the new issue that you mention a vulnerability in Firefox that could previously have been exploited via the now-fixed Safari "carpet bombing" and may still be exploitable via other means? It might be worth being a bit clearer on this in your post to remove the confusion.

    ReplyDelete
  10. aussiebearJune 21, 2008 at 6:33 PM

    So this is a Windows/IE problem being the root cause of this mess?

    Does it occur if I use Firefox 3 under Linux?

    ReplyDelete
  11. “Carpet Bomb” Still A Problem Despite Patch…. Oh Noes! « The IT NerdJune 21, 2008 at 11:52 PM

    [...] yeah, if you look at Billy’s blog, he also has this [...]

    ReplyDelete
  12. s9kJune 22, 2008 at 9:11 AM

    nice find rios, pretty cool tie together.

    ReplyDelete
  13. ArmandoJune 23, 2008 at 6:39 AM

    Could Safari’s carpet bomb be used in conjunction with Opera 9.27 or 9.50?

    ReplyDelete
  14. Tech News » Blog Archive » Linkpost | 6.22.2008July 6, 2008 at 10:12 PM

    [...] BK on Safari, hunting Firefox… — Despite patching, security researcher says Safari carpet bomb blended threat is still [...]

    ReplyDelete
  15. appleforapple.com » Firefox 3.0.1 fixes blended-threat vulnerabilityJuly 17, 2008 at 5:17 AM

    [...] and Safari for Windows: Turns out Firefox was vulnerable, too. Security researcher Billy Rios found the problem, but disclosed it only to Mozilla. (Mac users remain [...]

    ReplyDelete
  16. Rilasciato Firefox 3.0.1 « marko’s weblogJuly 18, 2008 at 1:50 AM

    [...] hanno corretto tre vulnerabilità: una falla che, combinata con un problema di Safari, permette la lettura dati dal disco fisso o l’esecuzione di codice, un overflow relativo al CSS reference counter (con conseguente esecuzione di codice remoto) ed un [...]

    ReplyDelete
  17. Firefox 3.0.1 fixes blended-threat vulnerability | applestech.comJuly 18, 2008 at 5:19 AM

    [...] and Safari for Windows: Turns out Firefox was vulnerable, too. Security researcher Billy Rios found the problem, but disclosed it only to Mozilla. (Mac users remain [...]

    ReplyDelete
  18. Firefox 3.0.1 fixes blended-threat vulnerability » 70 TricksJuly 18, 2008 at 4:46 PM

    [...] and Safari for Windows: Turns out Firefox was vulnerable, too. Security researcher Billy Rios found the problem, but disclosed it only to Mozilla. (Mac users remain [...]

    ReplyDelete

Subscribe to: Post Comments (Atom)