Saturday, July 31, 2010

Favicon Security Issue Fixed in Safari 5.0

Earlier this month, Apple released Safari version 5.0 for Mac OS X v10.5 Leopard and v10.6 Snow Leopard as well as Windows XP, Vista, and 7 (in addition to Safari version 4.1 for Mac OS X v10.4 Tiger). Apple listed 49 separate security-related bug fixes in their "About the security content of Safari 5.0 and Safari 4.1" Knowledge Base article.

Apple fixed at least one other security-related issue that was not included in the list. I initially observed and reported this issue in June 2007 and again reported it on 15 June 2009. The following is based on my 2009 bug report submission to Apple:

Summary:
Safari has a checkbox for "Display images when the page opens" in the Appearance section of the Preferences dialog. When unchecked, this supposedly allows a user to disable the display of all images when a page opens. However, a Web page's favicon still loads even with this option unchecked. In the past, there have been numerous exploits in Safari where maliciously crafted images can lead to remote code execution, so it is very important that when people explicitly disable images, *ALL* images should be disabled.

Steps to Reproduce:
1) On any Mac or Windows PC, open Safari, go to the Preferences, go to the Appearance section, and uncheck "Display images when the page opens".
2) Go to any Web site that has a favicon and which you have not already visited (to ensure that the favicon isn't just being loaded from the cache). You will see that the favicon loads in the address bar even though the rest of the images on the page do not load.

Expected Results:
Safari should not load favicon images when "Display images when the page opens" is unchecked, so as to avoid exploitation and potential remote code execution via a maliciously crafted image.

Actual Results:
Safari loads favicon images regardless of whether "Display images when the page opens" is unchecked.

Regression:
This vulnerability has existed in Safari for many versions, including the latest version for Mac OS X and Windows. This bug has been verified to exist in the recently released Safari Version 4.0 (5530.17).

Notes:
I originally submitted this security bug report sometime after the original version of Safari for Windows was released (Safari 3.0). I will give Apple a reasonable period of time to fix this security problem before going public with this information.

I would appreciate Apple's acknowledgment of this issue and a time frame in which I can expect it to be fixed. Please reply ASAP. Thank you.

I discovered this issue because after the initial release of Safari for Windows I began using the Web browser as a sandbox for loading potentially harmful sites, disabling all active content (including JavaScript, Java, Flash and other plug-ins) as well as images.

Apple representatives e-mailed me after the release of Safari 5.0 and Safari 4.1 to inform me that this issue had finally been resolved.

Apple still has yet to resolve an arguably more serious issue: Safari 5.0.1 still hides the Status Bar by default, making it impossible to know a link's destination before clicking on it. The average user will not be security conscious enough to enable the Status Bar on his or her own. The workaround is simple (just select "Show Status Bar" in the "View" menu) but the point is that Apple should make it easier for its millions of Safari users to identify suspicious links with the default settings.


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.