Major Flaw Found in Apple’s Safari Browser

As Apple continues to grow up and gain market share, they will be subject to the same typee of attacks that Microsoft has become so used to defending.

Apple is known for its tendency to deny problems with its popular gadgets, making life miserable for customers when such problems occur. While Apple’s iPhone 4 antenna issues are currently stealing the show, there’s perhaps no better example overall than Apple’s spotty track record on security.

Security research firm Secunia just released a list of vulnerabilities and Apple for the first time has come out on top as the most vulnerable. Secunia warns, “[The] graph is not an indication of the individual vendors’ security, as it is not possible to compare the vendors based on number of vulnerabilities alone.”

Apple’s supporters were quick to attack the report. AppleInsider writes:

Not all vulnerabilities are equal: Secunia outlines five levels of criticality ranging from minor “not critical” issues to “extremely critical” problems that can result in remote exploits without any interaction from the user, and for which active exploits are already known to exist. Yet Secunia’s vulnerability report totals throw all these various types of flaws together into sums that are frequently used for meaningless comparison purposes.

It’s ironic that almost simultaneous to the report another significant security flaw in Safari aired. Safari — Apple’s browser software — has oft seen releases so buggy to the point that they were unusable. Safari 5 certainly offered some improvements in that department, but it apparently doesn’t fair particularly better in the security department than past releases, including Safari 4 which had a flaw so severe it prompted a Department Homeland Security warning.

While the latest Safari bug isn’t as bad an exploit as some go, considering it’s not a route to installing malware, it can result in the theft of your personal info. It all starts with one of Apple’s features in Safari — autofill. Different from the standard browser’s autofill, which remembers users names and passwords for certain sites, Safari has an even more ambitious autofill which maintains info about a user in their address book card and offers up these details when needed.

Unfortunately, Apple didn’t appear to realize that it was necessary to screen what it allows to access this data. Security researchers revealed that a simple web form can grab much of this data — first name, last name, work place, city, state, and email address — no questions asked.

Such info could be used in phishing schemes. It could also be used in blackmail schemes if the users were visiting naughty websites. Ultimately, it represents a gross threat to privacy that easily surpasses Apple’s recent loss of iPad buyers’ email addresses (a problem that was largely carrier AT&T’s fault). Apple was informed of the problem on June 17, 2010, but since has done nothing.

The flaw was discovered by Jeremiah Grossman, founder of WhiteHat Security.

Security problems are hardly something new for Apple though. The iPhone has increasingly been attacked. One security researcher suggested its security was so poor that it was “useless” to businesses. Apple has made some improvements with each release of its iPhone OS, but they didn’t stop malicious worms from cropping up in the iPhone 3GS generation.

On the computer side, Apple also has had numerous past issues. Its weak memory protections in its past two operating systems — Tiger and Snow Leopard — have spawned a number of successful attacks. Worse yet Apple’s latest OS — Snow Leopard — shipped with an outdated vulnerable version of Adobe Flash.

Apple has made some gains — its new OS does come with mild antivirus protections (though Apple quietly recommends users purchase dedicated AV software). And the OS does offer working DEP (data execution prevention), though it ships with a virtually broken address space layout randomization (ASLR) implementation (which rival Microsoft’s Windows 7 flawlessly implements).

Ultimately, though what is really killing Apple is its slow patch time. Apple’s “there is no problem” mentality has made it the slowest company at patching, according to recent surveys. It took it a year to finally last year (June) patch a major Java hole. Unfortunately, such performance is more the rule than the exception to it.

Showing 25 comments

online seo service at 12:34am 22nd December 2010 Nice for this tips !! online seo service
online seo service at 12:33am 22nd December 2010 Nice for this tips !!
Mike at 3:00pm 27th July 2010 I love to see the Apple owners act like someone put sand in their vagina every time something negative is said about Apple. Look, the article took a shot at Apple, they didn't call your mom a slut, stop acting like such babies.
DrSteveBrule at 12:22pm 27th July 2010 Just uncheck the autofill options, ya dingus. For your computer!
Mike at 9:32am 27th July 2010 just turn autofill off
BonoboBoner at 7:46am 27th July 2010 Your browsing in the wrong way. Steve sent from my iPho
Agent Smith at 7:10am 27th July 2010 "Fanboy" is in fact, when all others fail, the last "argument" (some argument...) they can come up with. Moreover: "Safari — Apple’s browser software — has oft seen releases so buggy to the point that they were unusable": I really don't know what alien version of Safari that guy's been using.
RedHatLives! at 5:04am 27th July 2010 Way to write an unbiased article... NOT!
dpri at 3:39am 27th July 2010 lol mac users always give me a laugh, they get so offended haha
PrudoJoc at 10:06pm 26th July 2010 Wow, you can't make substantive arguments against an article without some anti-apple fanatic calling you a 'fanboy' as if that somehow invalidates your substantive arguments. Pitiful.
JudoProc at 2:50pm 26th July 2010 Wow. You can't publish an article with anything remotely negative about apple without fanboys going on the attack. Sad
1. Nate Ganley at 11:28pm 26th July 2010 agreed
SadforDT at 8:40pm 26th July 2010 The article is straight link bait... totally biased and one sided. I never thought I would see Digital Trends reduce themselves to the anti-Apple bandwagon, but this is entirely unacceptable.
1. ioman at 3:41am 27th July 2010 The article came from Dailytech, republished on DT.....
taelor at 8:11pm 26th July 2010 typee!
WaggyWow at 7:58pm 26th July 2010 Oh wow, you are right, that is pretty major real-anonymity.at.tc
Maurice S at 7:56pm 26th July 2010 "...but it apparently doesn’t fair particularly better in the security department than past releases, including Safari 4 which had a flaw so severe it prompted a Department Homeland ..." do you mean fare? just trying to be fair!
Matt at 7:37pm 26th July 2010 Google's browser Chrome has the exact same vulnerability. Yet nobody is writing articles like "Major Flaw Found in Google's Chrome Browser". Digitaltrends, educate yourself.
1. tripe at 6:16pm 26th July 2010 Current version of Chrome not affected.
DontHateForSakeOfIt at 7:27pm 26th July 2010 The "major" flaw is that Safari can read the user's vCard? This flaw is not major. Naming a field in your webform with common names like "firstname" and "address1" will cause the browser to auto-populate the field if it's configured that way. Whether it pulls this information from its own information store (Firefox) or from a vCard stored in the OS (Safari/OSX) is immaterial. Also... Adobe refuses to work with Apple anymore to keep their code updated. This is the reason why SnowLeopard shipped with an outdated flash install. Apple did not create Adobe Flash, nor are they responsible for maintaining it. Blaming Apple for this is like blaming Microsoft because ATI's crappy drivers crash Windows. And yes, many of these crappy drivers are packaged with Windows just the same way Adobe's Flash was packaged with OSX. I'm all for casting blame on those responsible for problems - and yes that includes laying blame on Apple's usual "sweep it under the rug" responses to the problems the *DID* create - but let's lay blame where it is due, and refrain from jumping on bandwagons driven by people who distort the facts or get them completely wrong. Using the "Auto-Fill Webforms" feature is an Information Disclosure vulnerability in and of itself no matter which browser you use or which operating system you run. Just turn the feature off like any sensible security-minded person would.
1. Nate Ganley at 11:26pm 26th July 2010 I like the way you put this out there. Thanks for being knowledgeable.
  1. Fred at 12:01am 27th July 2010 You can drive traffic very effectively with titles such as, "massive, earth-shatteringly terrible security flaw in Apple iSomething" then just have the article say, "If you walk away from your computer and a hacker breaks into your house and accesses it before it has a chance to sleep, that hacker can steal your identity and install bad malware." See, it doesn't matter at all if the threat or article is reasonable or even vaguely possible, it's the traffic authors like the one above crave. That's why you'll see reports from GreenPeace that say, "Apple worst offender in Green manufacturing!" but if you read the article, it's more like, "Apple is #49 of the 50 randomly selected companies we decided to make up statistics about."
2. puremetal at 3:23pm 27th July 2010 Gizmodo and the BBC also reported on this Safari/WebKit vulnerability, and IIRC the issue was that via the auto-fill feature a malicious website could gain access to your entire address book, and not just any auto-fill fields you have set up for general use. So it is a little more of an issue than you make out. And please... blaming Adobe for not working with Apple is calling the Kettle black just a little. Adobe works with other OSes and vendors, most of whom (unlike Apple) don't try to ruin them.
@TCorp at 7:06pm 26th July 2010 Your article (deliberately?) fails to mention that ALL WebKit browsers have this.
1. tripe at 6:15pm 26th July 2010 The current version of Chrome is not affected. Older versions look to be, however.