Researchers Taking Keen Interest in Apple’s Vulnerabilities

Security researchers are getting increasingly interested in Apple. In April 2007, the "Hack a Mac Contest" at CanSecWest put an award of U.S. $10,000, and more recently on June 11, 2007, there was this Safari Web browser, or public beta of Safari for Windows, as reported by CSOonline on June 12, 2007.

On the day Safari 3 was announced for Macintosh and Windows, researchers simultaneously discovered eight security holes. Researcher Thar Larholm publicly disclosed his exploit code online. Another researcher, Aviv Raff, found a memory corruption that is potentially exploitable, and David Maynor, a longtime critic Apple critic, revealed six vulnerabilities.

Maynor noted that they found six security holes including 4 Denial of Services and 2 bugs allowing remote execution of code. They weaponized one of the bugs and found it different than the past. The bugs they discovered in the beta copy of Safari for Windows would be active in the production copy for OSX too. The exploit works boisterously mainly because the OSX does not have any advanced security tools, Maynor said, as per news published by Tech.monsterandcritics on June 13, 2007.

Raff said he spent approximately 3 minutes with fuzzing technique to detect the bug but he didn't test it on Mac OS X. So he wasn't sure if the bug affected Windows Safari alone. Raff said the bug leads to crash down of the browser and is possibly capable of exploitation. This means the bug could be used to run malicious software on the computer, as reported by CSOonline in news on June 12, 2007.

It was clear that Raff was unhappy with claims calling Safari to be fully secure from the first day itself by Apple. Raff described this proclamation "pathetic". But he added that he didn't mean to find faults with Apple in particular. He had posted issues about Microsoft and Mozilla as well, CSOonline reported on June 12, 2007.

All software has security loopholes, but their creators don't claim that they have complete security in place "from day one", said Raff sarcastically, adding that it was probably "day zero" now, as published by CSOonline on June 12, 2007.

Related article: Researchers Urge Caution against phishing Scams

» SPAMfighter News - 6/30/2007