A fatal flaw has been discovered with Apple’s web browser, Safari, where a simple image can crash the app. It’s another the Safari Image of Doom.
I am not a developer. Nor am I a security guru. And quite frankly I don’t know my way around Unix, WebKit or Core Image. But I do know when there is an issue involving the aforementioned areas that needs to be addressed. This….. Safari Image of Doom II, or whatever that is, needs to be addressed by Apple. And quickly.
Safari’s Kryptonite = An Image File
The lowdown; apparently Drunkenbatman, of drunkenblog.com fame, has brought to light a flaw in the way apps based on WebKit and WebCore handle certain images. It crashes them. Completely, unapologetically, and without prejudice, smacks them down like a redheaded stepchild.
Drunkenbatman does a better job than I ever could of expounding on this issue. And why discoveries like this one hint at an OS that may not be quite as secure as we all like to believe. So rather than provide my own explanation of what this is all about, I will paraphrase his post.
- the image below crashes anything webkit-based in a very hardcore way. Actually, it crashes anything using ImageIO. That includes the Finder and Preview and apps based on Webkit and WebCore like NetNewsWire.
- It’s remarkably similar to the Safari Image of Doom™ from a while ago, although this time ImageIO seems to be choking during an EXIF routine, so I won’t rehash what I said there. However, a few thoughts…
- This particular image (and ones like it) are already floating around on the web. It wasn’t “created” to show off a flaw.
- While it’s hard not to notice that an image is once again taking out Safari. It should be considered a security issue.
- Individual applications have all basically rolled their own support instead of using what Apple provides. You are able to open the image with Photoshop, and Graphic Convertor, and of course things like Camino and FIrefox will view this page just fine. If a developer can’t trust Apple’s included solution to be robust, there’s little point in throwing it in aside from bullet points.
- Don’t underestimate the above, nor how widespread the problem is throughout Mac OS X. As an example, I have yet to encounter a developer needing to use SOAP services in a serious way on OS X that hasn’t given up on what Apple’s provided to the point where they just write their own stack.
- I haven’t met anyone at Apple that’s nervous of dropping OS X as it currently stands. So I’m always amused at what shows up around the web. And less amused by the pundits feeding it to them.
- I asked around and was told this issue has been reported as bug #4485821 in Apple’s system. No clue as to the status/resolution.
DrunkenBatman’s post has already elicited a wide range of responses from his readers. Many of which are just upset that he saw fit to include the aforementioned “Image of Death” directly in his post. I’m among the afflicted. My NetNewsWire promptly crapped the bed as soon as I clicked the link to the post.
“I’m aware many people who have the site in their feeds will be trying to access it via something based on WebKit/WebCore. Safari may have crashed, and you lost all your open tabs. You may have had your RSS reader up, and opened up some links in tabs, and down it all went. Read whatever you will into the fact that while these things did occur to me, I’m attaching it inline instead of linking to it separately anyways.”
I will not include the image in question in this post. But if you just have to see the bug in action click (Let me be clear; Safari WILL crash if you click the following links, there, consider yourselves warned) here or here.
Should We Worry About Another Safari Image of Doom?
I’m not worried. Despite the unsettling ease with which a graphic can bring to its knees. And some of the very core applications in Mac OS X, namely the Finder, Preview, and Safari that are impacted by this bug. It may be naive of me, but I am still unconcerned about the overall implications of such a flaw.
Don’t get me wrong, I understand just how significant a discovery this is. And how coding bugs such as this one can result in security breaches. But I am not worried. Maybe it is because I have become one of those unreasonably smug Apple users. I hear about people like me on pro-Microsoft websites (no seriously, there are some). Perhaps it is because I rubbed the bald head of my pure ivory Steve Jobs statue three times this morning for good luck. I really can’t say.
What I do know is that Apple has assigned this vulnerability a bug number. That # is 4485821. Which means the people who need to know about it, do. We’re in good hands. In fact, I have no doubt that his Steve Jobs deprived some engineer well deserved quality time with the family to address this issue. And hopefully as quickly as possible!
Maybe when I wake up in the morning I will feel differently about how secure OS X is. Maybe. But honestly, I don’t see that happening.