Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Hunting Safari

When Apple's Safari browser was released for beta testing on Windows at this year's WWDC, it was expected that many researchers would turn their attention to this little piece of Apple in a Microsoft world.

These expectations were met when vulnerabilities were rapidly discovered and disclosed within a matter of hours of the release of the browser, some with detailed exploitation code accompanying the disclosure.

A lot of the remaining publicly known vulnerabilities are low threat issues, providing cross site scripting and minor data corruption opportunities. However, there are still serious vulnerabilities being released, such as the '0-day' code execution vulnerability due to excessive Title tag length when a page is added to the bookmarks.

While Apple quickly moved to patch the known vulnerabilities, bringing the browser to beta version 3.02 in short order, some 'researchers' have decided to take a more unprofessional route while vulnerabilities continue to be disclosed by others.

Repeating the oft-used line that unpaid research and Quality Assurance for a software vendor is not what they are there for, at least one security researcher has publicly stated that they will be withholding disclosure of serious Safari vulnerabilities until after the release of OS X 10.5 (Leopard), preferring to wait until a reasonable userbase has been established prior to disclosure.

The risk of taking this approach is that it is possible (maybe even probable) that another researcher will identify and report the vulnerabilities before the release and widesperad use of Leopard.

Intentional suppression of vulnerability data (including not reporting it to the vendor), with the intention of later publicity, is a practice that many find unethical and unprofessional and the researchers may find that software vendors will be less willing to negotiate with them in the future.

Whatever the outcome, it is to be expected that many more Safari-focussed vulnerabilities will be disclosed over the next several months.

30 June 2007

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.