Security Experts:

Secunia Slams Apple Over Vulnerability Handling, Publicizes Safari Flaws

Apple Criticized Once Again for Its Silience and Uncooperative Ways When It Comes to Fixing Vulnerabilities in its Products

Secunia, a Copenhagen, Denmark-based firm focused on vulnerability management and intelligence solutions, recently published a security advisory in connection with two Safari vulnerabilities, which if exploited could allow the remote compromise of a machine. The reason for going public, the security firm explains, is due to Apple remaining silent on the issues for more than six months.

According to Secunia, one vulnerability in question is caused due to plug-ins being unloaded when navigating to a new page while the user interacts with the plug-in (e.g. displays the context menu).

”If the plug-in has called a blocking function (e.g. TrackPopupMenu) before Safari navigates to another page, the API call may block until after Safari unloaded the plug-in, which can lead to the API call returning to freed memory,” the advisory explains.

Secunia Employees at RSA Conference 2012Based on the research, the issue impacts Safari users on Windows only, with the RealPlayer and Adobe Flash plug-ins installed. Secunia’s actions align with their policy to publically report vulnerabilities if a vendor fails to respond within six months.

“One interesting thing about this disclosure is they describe it as allowing 'user-assisted remote attacks',” Andy Chou, Founder & CTO at software analysis firm Coverity told SecurityWeek. “From the longer description, it appears that the vulnerability requires a kind of race condition to occur where a user interacts with a plugin at the same time the browser is navigating to a new page.” The window of time where the vulnerability exists would affect how reliably it could be exploited in practice. In the extreme, a vulnerability of this form might only be exploitable if the user actively tries to cause this condition by repeatedly interacting with a plugin while simultaneously switching pages.”

Could Apple be downplaying this vulnerability based on the rare conditions required in order to exploit the vulnerability, or is the company handling this as it would all vulnerabilities? Perhaps Apple isn’t making a fix a priority since the bug affects users on Windows and not its own Mac platform? This is by no means the first time Apple has been criticized for its lack of communication and response to reported security vulnerabilities. It’s just the latest example of some of the frustrations many researchers and security firms have had in working with tight-lipped Apple.

On Apple’s product security page, the company states, “Because we focus our response efforts to have the greatest impact across Apple's product line, we generally will not respond to the [vulnerability report] e-mail messages unless further information is needed for a security issue.”

Furthermore, Apple adds, "For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”

But Secunia believes this isn’t the way to do business and address security issues in the technology space.

”In this specific case, Apple had 6 months to look into the coordinated vulnerability - and 8½ months looking into another Safari vulnerability also published this week. As both vulnerabilities were subject to our old disclosure policy, Apple had up to 1 year to issue fixes as long as they could provide proper status updates. Our new disclosure policy published in 2012 provides a 6 month semi-hard deadline,” Secunia’s Chief Security Specialist, Carsten Eiram explained in a blog post.

"The vulnerability disclosure argument has been around for a long time with security researchers and software vendors often butting heads on what the process of fixing and disclosing vulnerabilities should look like,” Jaime Blasco, Lab Manager at AlienVault told SecurityWeek. “What's most frustrating for security researchers is when they report a vulnerability to a vendor and the vendor denies the security flaw. We've seen this happen a number of times, even when government organizations like US CERT get involved.”

“The topic of vulnerability disclosure is a controversial one. From a development organization's point of view, fixing previously shipped code can be very expensive and risky,” Coverity’s Chou added. “Developers need to be pulled off of projects developing future products and features; the vulnerability needs to be carefully researched and fixed; and the modified code needs to be tested thoroughly so other functionality is not broken. Right or wrong, sometimes a development organization may decide that a vulnerability is not important enough to warrant a fix until the next "convenient" scheduled release of a product.

The Cupertino, California-based tech titan says that it works with the formal incident response community to distribute information, and that most of its security notices are distributed by CERT/CC at the same time as they are sent through Apple's own channels. Apple is a member of the Forum of Incident Response and Security Teams (FIRST), and cooperates with other FIRST members to disseminate security-related information, the company said.

”It's regretful to experience that there are still some major software vendors that do not understand how to properly work with researchers,” Eiram added. “Hopefully, Apple will in the future strive to work better with researchers to ultimately protect their customers by providing more informative status updates and estimated fix dates instead of prioritizing antiquated internal policies higher.”

Related Reading: Secunia Launches Reward Program for Vulnerability Coordination

Mike Lennon contributed to this report.

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.
view counter