Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Google Criticizes Apple Over Safari Security, Flaw Disclosures

One Year After Release, Google Fuzzer Still Finds Many Flaws in Safari

One year after it was released as open source by Google Project Zero, the Domato fuzzer has still found a significant number of vulnerabilities in Apple’s Safari web browser.

One Year After Release, Google Fuzzer Still Finds Many Flaws in Safari

One year after it was released as open source by Google Project Zero, the Domato fuzzer has still found a significant number of vulnerabilities in Apple’s Safari web browser.

In September 2017, Google Project Zero researcher Ivan Fratric announced the release of a new Document Object Model (DOM) fuzzer designed for testing web browser engines. At the time, he revealed that Domato had helped him find more than 30 vulnerabilities, including two flaws in Chrome’s Blink engine, four in Firefox’s Gecko, four in Internet Explorer’s Trident, six in EdgeHtml, and 17 in Safari’s WebKit.

Since the highest number of security holes was found in WebKit, Fratric recently decided to once again test it to see if any improvements have been made by Apple.

The same type of testing – running 100 million iterations using computing power that could be purchased for roughly $1,000 – Fratric uncovered nine new vulnerabilities, including six in what at the time was the current version of Safari. The researcher also noticed that a majority of the bugs were in the WebKit code for more than six months before they were discovered.

“While 9 or 6 bugs (depending how you count) is significantly less than the 17 found a year ago, it is still a respectable number of bugs, especially if we take into an account that the fuzzer has been public for a long time now,” Fratric said in a blog post.

In an effort to demonstrate the risk posed by the types of flaws identified using the Domato fuzzer, Fratric created an exploit for one of the use-after-free issues – these types of bugs can in many cases allow arbitrary code execution.

The expert reported his findings to Apple in June and July, and patches were released in September. However, Fratric has criticized the tech giant for not disclosing the existence of the vulnerabilities in the initial version of its advisories.

Advertisement. Scroll to continue reading.

Specifically, Apple resolved the flaws with the release of iOS 12, tvOS 12 and Safari 12 on September 17, but did not mention them in its advisories. Instead, the company added information about the security bugs to its initial advisories only on September 24, when it also released updates and advisories for macOS Mojave 10.14.

“The original advisories most likely didn’t include all the issues because Apple wanted to wait for the issues to also be fixed on MacOS before adding them. However, this practice is misleading because customers interested in the Apple security advisories would most likely read them only once, when they are first released and the impression they would to get is that the product updates fix far less vulnerabilities and less severe vulnerabilities than is actually the case,” Fratric said.

“Furthermore, the practice of not publishing fixes for mobile or desktop operating systems at the same time can put the desktop customers at unnecessary risk, because attackers could reverse-engineer the patches from the mobile updates and develop exploits against desktop products, while the desktop customers would have no way to update and protect themselves,” he added.

Related: Google Discloses Unpatched Vulnerability in Edge Web Browser

Related: How Apple’s Safari Browser Will Try to Thwart Data Tracking

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...