[Infowarrior] - Apple Goes on Safari With Hostile Security Researchers

[Richard Forno]

Apple Goes on Safari With Hostile Security Researchers
Ryan Singel Email 06.14.07 | 2:00 AM
http://www.wired.com/gadgets/mac/news/2007/06/researchersmeetsafari

Security researchers have long speculated that Apple has benefited from
security by obscurity, escaping attention from malicious hackers because
Windows-based computers dominate in homes and offices. But Apple's new
Safari for Windows puts it right in hackers' crosshairs. The browser gives
hackers another way to attack Windows and security researchers will now
likely spend hours hunting down holes in the code.

But Apple's culture of secrecy and slick marketing has put it at odds with a
community that values openness and honesty -- a lot of computer security
experts aren¹t very fond of the computer maker.

Indeed some in the security community think Apple's stance towards security
is as bad as Microsoft's was in the days when it was called the "Evil
Empire," prior to Bill Gates's declaration in 2002 that security was the
company's top priority.

When asked over the phone if Apple treated security researchers well, Black
Hat founder Jeff Moss relayed the question to researchers at the Computer
Security Institute conference. Howls of derisive laughter came pouring
through his cell phone.

"They are vulnerable like anyone else, but they are still controlled by
marketing campaigns," said Moss. "Their approach will change -- but when
will it change?"

Apple has a mixed reputation in the security community. It's been criticized
for how it handles reports of vulnerabilities, how it reports the severity
of bugs in automatic security updates and how long it takes to patch flaws.

In addition, Moss said Apple has a reputation of not crediting researchers
who find bugs. Security researchers generally adhere to a policy of
reporting bugs quietly to software vendors ahead of time in return for
public credit when a fix is shipped. However, Apple has been accused of
fixing bugs silently, or fixing a security bug and reclassifying it as a
"usability bug" rather than crediting researchers.

By releasing a beta version of Safari to the public, Apple expects to get
feedback on bugs and vulnerabilities, but some researchers are loath to
provide it unless they get proper credit.

Security researcher David Maynor said he found six Safari bugs in one day
using commonly available tools that Apple engineers should have used
themselves.

"Apple is using the research community as their (quality assurance)
department, which makes me not want to report bugs," he said. "If they
aren't going to run these tools, why should I run them and report them?"

While Maynor says he follows this policy for companies like Microsoft, he
refuses to report bugs to Apple following a vitriolic contretemps last
summer involving a wireless-driver bug. Maynor contends Apple attacked his
credibility, while Maynor¹s detractors say he overstated the severity of the
exploit.

One of the bugs is a remote exploit that works on the beta browser and the
current production version of Safari for Mac OS X, according to Maynor.

Maynor says he plans to hold onto the exploit until he can buy an iPhone and
break into it.

Maynor is not alone in probing the new browser. Just one day after Apple
released the Safari beta, security researchers published detailed accounts
of critical vulnerabilities in the browser, ranging from attacks that simply
crashed the browser, to one that allowed a website to run commands on the
computer of a visitor running Safari.

But animus towards Apple is not universal in the security community.

Dino Dai Zovi, a security researcher who recently won $10,000 by taking over
a Mac remotely, says he's reported nine vulnerabilities to Apple and found
them to be as responsive as most in the industry.

Apple tends to be slow issuing patches, according to Dai Zovi, but can be
quick when there's a lot of public scrutiny, such as with his QuickTime/Java
exploit, which it fixed in a "groundbreaking" eight days.

But Dai Zovi said Apple may be about to enter much hotter water, thanks to
its new Windows browser, the hot new iPhone and increased Mac market share.

"They are going to have to deal with a lot more vulnerability reports," Dai
Zovi said. "Just like Microsoft, once the public perception of security
impacts sales, Apple will most likely step it up."

David Goldsmith, the president Matasano Security, echoed Dai Zovi's take on
Apple's handling of reports, saying he's never had a problem with Apple not
crediting him for a bug, but that in the past Apple had a habit of
underplaying the severity of the bug.

Goldsmith said Apple might have to fix bugs faster because more people will
be watching what the company does.

"Apple has a reputation of being more secure and one of the theories is that
it is because less people are looking at it (for vulnerabilities),"
Goldsmith said. "(The Windows Safari browser) may prove to be a way of
validating that claim. It is safe to say they are going to change the way
they react to these communications just because they will have more exposure
to them."

Apple was not immediately available for detailed comment, but a spokesperson
pointed out that the Safari browser relies on an open-source browser engine
that has been well tested and used by companies like Nokia.