Apple Safari Vulnerability

Monday, April 29, 2013 @ 05:04 PM gHale


There is a simple flaw in the Apple Safari browser where an attacker could hijack users’ web sessions.

The flaw could end up exploited to have the browser throw up user cookies, passwords or even files from the victim’s machine, researchers said.

RELATED STORIES
Java Patched; New Holes Found
Security Fixes in New Chrome
Attack Shift: Web-based Attacks
Top Malicious Hosting Providers

The problem lies in the Apple Safari webarchive format, which saves all resources on a web page into one document. To exploit the flaw, an attacker would have to trick a victim into opening a malicious webarchive file, either by forced download or via an email attachment in a spear phishing attack.

The specially-crafted file could pilfer cookies and saved passwords by having them sent to the attacker’s own domain.

They could also store poisoned JavaScript in the user’s cache, allowing for keyloggers to install for certain sites. That’s “very bad”, said Joe Vennix, Metasploit products developer at Rapid7.

“A flaw exists in the security model behind webarchives that allows us to execute script in the context of any domain – a Universal Cross-site Scripting (UXSS) bug,” Vennix said in a blog post. “An attacker can send you crafted webarchives that, upon being opened by the user, will send cookies and saved passwords back to the attacker.

“By modifying the WebResourceURL key, we can write script that executes in the context of any domain, which is why this counts as a UXSS bug.

“In a nightmare scenario, the user could be typing emails into a ‘bugged’ webmail, social media, or chat application for years before either 1) he clears his cache, or 2) the cached version in his browser is expired.”

In an ideal world, Apple would prevent script executing as the researchers showed. Rapid7 reported the bug to Apple in February.

Vennix said Apple labeled the flaw a “wontfix,” as the webarchives file has to download onto the user’s machine.

“This is a potentially dangerous decision, since a user expects better security around the confidential details stored in the browser, and since the webarchive format is otherwise quite useful,” Vennix said.

“Also, not fixing this leaves only the browser’s file:// URL redirect protection, which has been bypassed many times in the past.”



Leave a Reply

You must be logged in to post a comment.