Apple Safari Denial Of Service (iPhone, iPad, iPod, OS X, Windows) 0-Day

I’ve spent a lot of time thinking about what to do with this one, and when I say a lot of time, I really mean just over 3 months now. I also informed Apple that I would be writing this article, and asked for an official quote from them, and also a rough date as to when the relevant patches would be disclosed.
I found this one by fuzzing Safari 5.0 on the night that it first came out, I was using Browser Fuzzer 2 (bf2)and then spent a while playing with it to see if I could turn this into more than just a Denial Of Service (DoS), unfortunately I wasn’t able to. This is not to say that it’s not possible to do so, I’m just not too sure on how to do it, it may very well be more than just a DoS with a few tweaks to the code.

I initially tried selling this one to ZDi, but their response to me was fair and to the point:

“Dear xyberpix

We have reviewed your recent case and discovered it was a duplicate of an issue we received in January of this year. We have also determined that this issue is likely non-exploitable. Due to this we are going to pass on the opportunity to pursue acquisition of this vulnerability information through the ZDI program.

Thank you for the submission and we look forward to your future work.

The ZDI Team”

So, January 2010 and to date, this still has not been fixed by Apple! People give Microsoft and Adobe a hard time about their time to release patches, but seriously 8 months is really pushing it!

So I figured I’ll see what Apple has to say about this one, and sent it along to their product security team, asking if they were willing to reward vulnerability researchers for their time. I wasn’t asking for anything major at all, maybe the cheap iPad or even just a copy of Logic Studio 9 for my trouble. That’s really not too much to ask really is it? I didn’t have any high hopes though, and well here was their response:

“Hello Xyberpix,

When we address an issue in a Security Update, we give credit to the person who reported the issue to us.  However, Apple does not directly provide financial reward.”

Okay, fair enough, I didn’t go looking for bugs for financial gain, but it would have been a nice token nonetheless. I guess the fact that I’ve been a loyal Apple fan boy for close on 8 years now means nothing to them at all. I guess this is why I’m a firm believer in the No More Free Bugs movement, in the same sense though I can’t sit around idly and wait for what’s been over 3 months since I found this issue, and Apple has not released a patch yet!

Apple also came back to me stating that they had addressed this vulnerability in iOS 3.2 and iOS 4.0, well, erm, dunoo how to tell you guys this but, nope you didn’t. So being the nice guy that I am I sent them the relevant crash logs as requested. Their response was the following:

“Hello xyberpix,

Thank you for forwarding this issue to us.  We take any report of a potential security issue very seriously.

After reviewing the issue, it appears that this denial of service issue results in the unexpected termination of MobileSafari, but not of the host operating system or a system service.  For our internal tracking purposes, this will be classified as a “Crash / Hang” issue. Although we do not see additional security concerns, we do consider this to be an important issue, and are working with the engineering team to address it.

If you have reason to believe that the issue has ramifications beyond terminating Safari (such as terminating the operation of the host operating system or system service, or executing arbitrary code), we would appreciate the steps to reproduce this, or crash logs from when you observed it.”

I then replied asking about this issue on platforms other than iOS, namely Windows and OSX, to which I recieved the following response:

“Hello xyberpix,

The crash is still a security issue on platforms on which it has not been addressed.  So far, it has only been addressed on iOS.

For the protection of our customers, we ask that you do not disclose details of this vulnerability until it has been addressed on all platforms.

When we release an update to address this issue on other platforms, you will be credited for the vulnerability.”

Okay, so let me get this straight, this is not a security issue on iOS, it’s a crash/hang issue, which they have apparently addressed in iOS 4, and I had to bug Apple about the Windows and OS X Safari issues, even after I informed them that it was possible to crash Safari on all platforms, not just iOS? Something’s not quite right here…

When I asked for a rough timescale on when a patch for this is going to be released, I was given the following response:

“The following information should be considered confidential.  We are sharing this information as a status update on an issue you reported.  Please do not share this information with others.

This issue has already been assigned CVE-20xx-xxxx, when it was fixed on iOS.

The issue is currently planned for our next available software update.  I don’t have a date for you yet, but we will coordinate with you closer to the release of the udpate.

I completely understand confidentiality, but I also believe that security researchers should get more than just credit for discovering a vulnerability that Apple’s testers should have found in the first place.

Oh wait, it seems they did find it, but they just claimed to have fixed it, instead of actually fixing it, did I get that right?

My last attempt at contacting Apple was on the 2nd August 2010 to ask if they could please give me an official statement on this issue that I could include in this post, and if there was still no chance at all of getting some sort of reward for this finding. Their response was this:

“Hello xyberpix,

We do appreciate the time you took to find and report the issue to us.

As mentioned, it is not our policy to provide financial compensation for issues.”

I really don’t want this post to be taken the wrong way, yes I was looking for compensation for the vulnerability, but not thousands of dollars, just a little something to make the time spent on this one worthwhile. I also wanted to have an official statement from Apple on this one as to when they are likely to release a patch, neither of which they were willing to do. Personally I don’t feel that either of these things were too much to ask at all from a company that is growing in leaps and bounds each year.

If any Apple employee’s would like to discuss this one further with me, the case number for this issue is 111476071, and you have all my contact details.

As a matter of courtesy and security I will not be publishing the code for this DoS, as I do not believe that would be responsible, once a patch that works has been released by Apple, I will upload the code. I have also removed the CVE number and also the specific function that causes the crash.
I’m really looking forward to all your comments on this one people, as I’d love to hear your views.

  • anon

    Is this a joke???
    So let me get that straight… you took a fuzzer that someone else developed and you run it on Safari. You found a potential issue and you didn’t bother to research it but you preferred ZDI to do it. They were kind enough to tell you it was not exploitable for code execution. Given that fact you still bothered Apple and wasted a considerable amount of their resources, making even more confusion. (no surprise they take time addressing issue if they have to answer such stuff). On top of that you wanted an iPod for all this ???

    Please tell me it was a joke..

  • xyberpix

    @anon You’re kind of there, but missing quite a bit in between ;-)

    Yes I used a freely available open source fuzzer to find the issue. The same one that Apple staff could have used had they bothered. This is why we have so many software vulnerabilities, the tools are freely available for security researchers and Apple/Microsoft/Adobe employees to use and check their products, however they don’t.

    Yes I submitted it to ZDI, who informed me that this is a known issue (since January 2010). As for the reason that i didn’t take the time to research this one further, well that would have taken a considerable amount of time, and I am still working on this, I figured that the sooner that this is patched the better for everyone. Also, I am not going to spend more time on this for Apple, now this is completely personal. If it turns out that this may be more than a DoS on other platforms, I will either choose to keep the exploit in my private collection, or publicly release it.

    As for bothering Apple, Apple stated that it was fixed, when it clearly isn’t on iOS, also there is no mention of the details of this issue anywhere online. Apple also have no fix for this on Windows or OS X as yet. I’m not 100% if Apple even knew that this affected Windows or OS X versions of Safari, as the CVE related to this one only applies to iOS.

    As for wanting an iPod, nope I never mentioned an iPod at all actually.

    Hope that clears things up for you.

  • anon

    So you mentioned iPad and not iPod. Same thing for me:) The point is: While I also support the ‘No More Free Bugs’ initiative, I think some common sense should be applied. Do you really expect vendors giving free stuff for browser crashes? And do you really think that in that case the time that you put in running the fuzzer and sending a few emails to ZDI and Apple should be rewarded. I mean how much do you charge per hour? ;) if it is close to the iPad value maybe you should do some extra hours at work instead ;)

    Please don’t forget security has to be cost effective. And that also applies to Apple. If Apple were losing a lot of money because of security issues they would be giving sixpacks of iPads for every bug.

    We need to expect reasonable things.

    Best regards

  • Javantea

    Anon forgets that Apple puts their customers at risk when they give researchers the runaround. Being straightforward, fast and always giving credit where credit is due are not beyond the capacity of Apple. But why do researchers still have trouble getting that from vendors? Vendors know that researchers take into account the reward when they decide whether to coordinate disclosure or to do full disclosure. Because a bug is a DoS instead of code execution does not mean that Apple and ZDI should deny a researcher payment. Part of the No Free Bugs idea is that if a vendor was doing proper security testing, there would not be very many bugs found by researchers. Pay one researcher or pay another, you get a choice. You do not get the choice of letting researchers do your work for free.

    On the topic of using standard tools, it’s just smart business to try standard stuff first. If you find a bug with standard tools, who needs custom tools? Who says that a researcher can’t charge what the market is willing to pay? Alas it is the market that is not sold on the idea of paying independent researchers for their work. I guess that some researchers need to figure out a business model that teaches companies to fear them more. Or not.

  • anon

    @Javantea Even if Apple is capable of rewarding researchers it does not mean this would be a good business decision. And I think we can agree that you don’t have to teach Apple how to do business.

    Regarding an unexploitable for code execution DoS issue in a browser if I was a vendor I couldn’t care less. You can crash or make the browser unresponsive in thousands of different ways. More importantly have you ever seen an attack in the wild that targets a client side DoS issue?? So IMO the fact that a bug is a DoS DOES change a whole lot.

    Again, I am also supporting No Free Bugs but I am strongly opposed to going around asking for money just because you have a piece of code that will kill your browsing session.

    As it comes to tools, my point was that running an available fuzzer on a browser is not really hard research work that should be necessarily rewarded.
    And yes, Apple should probably do this themselves. But they can’t run all available tools. And also how do you know that they didn’t do it but decided to implement some more cool UI instead of fixing a highly unlikely to appear crash?

    Now if this turns out to be something more serious than it would be a totally different case. But that requires a *proper* kind of research. The kind that deserves rewards,

  • xyberpix

    @anon, In regards to doing the “proper” kind of research, are you volunteering? ;-)

  • anon

    @xyberpix, what are you offering as a reward? ;)

    Guys, I agree Apple has probably the worst security practices/processes from the big vendors. All I’m saying is that this is not one of these cases you should be making the point with. Security researchers need to be really reasonable in their demands to be listened to.

  • HP Computers

    Being straightforward, fast and always giving credit where credit is due are not beyond the capacity of Apple. But why do researchers still have trouble getting that from vendors? Vendors know that researchers take into account the reward when they decide whether to coordinate disclosure or to do full disclosure. Because a bug is a DoS instead of code execution does not mean that Apple and ZDI should deny a researcher payment.