Apple declines to fix vulnerability in Safari's Web Archive files, likely because it requires user action to exploit | iMore.com
Skip to main content Android BlackBerry iPhone / iPad Windows Phone webOS SIGN UP|LOG IN![iMore: More of everything you love about iPhone, iPad, and Apple mobile! iMore: More of everything you love about iPhone, iPad, and Apple mobile!](/imoreiconx2-3.png)
Metasploit software developer Joe Vennix has detailed a vulnerability in Safari’s webarchive file format along with how it can be exploited. The post on Rapid7 says that after being reported to Apple back in February, the bug was closed last month with a status of “wontfix”, indicating that Apple has no plans to address the bug. So what is it and why is that?
In Safari, if you go to save a web page, one of the options for the format to use is Web Archive. In many browsers when you save a web page locally, it only consists of the HTML source code itself. This means that any images, embedded videos, linked stylesheets or JavaScript will be lost. When you open a copy of the locally saved page, it will be missing all of the additional content, often not showing much more than text from the page and broken images. Safari’s Web Archive format works by not only saving the HTML of the page, but any linked content. When you open a Web Archive file, you will see the page as it would have originally appeared on the Internet, with all images, styling, and linked content preserved.
The bug found in Safari’s security model is a lack of restriction on what data can be accessed by files in a web archive. Normally a page like apple.com would be restricted to reading cookies that belonged to only the apple.com domain. It could not read cookies from another domain, such as gmail.com. This is critical because if all of your cookies were readable by any website, it would be trivial for a malicious site to send your cookies back to an attacker, who could then log in to your accounts on any number of websites. In the case of Safari’s web archives, it’s possible for a malicious web archive to not only access content stored by another site, but potentially any file on the victim’s computer.
With such a serious sounding vulnerability, you might be wondering why Apple wouldn’t want to fix it. The answer seems to be that an exploit like this cannot be accomplished without user action. You couldn’t actually be affected by this unless you were to download and open a malicious .webarchive file. Users can avoid being attacked by employing the age old advice of not opening strange files from the Internet (or anywhere else for that matter). That said, some people still do and surely will continue to do so. Given the potential impact of a vulnerability like this on users, it certainly seems like something Apple would want to fix at some point.
If you’re interesting in understanding more about how this bug works or can be exploited, Joe’s blog post covers several real world examples of how it could be used.
Source: Rapid7
![](/100x1004955788.jpg)
Nick Arnott
Security editor, breaker of things, and caffeine savant. Writes on neglectedpotential.com about QA & security, and as @noir on Twitter about nothing in particular.
More Posts
7![loading...](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\ajax-loader.gif)
![loading...](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\ajax-loader.gif)
![loading...](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\ajax-loader.gif)
![loading...](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\ajax-loader.gif)
More of: Security, Safari, web archive ? PreviouslyWhat do you want to see in iMore app 3.0? Next up ?Editor's desk: #TM13 There are 2 comments. Add yours.
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\100x100_avatar-generic.jpg)
Other concerns aside for the moment, is the version of webarchive used in iTunes LP and extras vulnerable? If so, this seems like a mistake to leave open, as most people do not know the format is in use there, nor does it seem wise to for Apple to trust only pre-store inclusion scanning.
Reply![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\100x100_avatar-generic.jpg)
Well lets hope they work it out.
Reply Contact iMoreSEND US NEWS | SUBMIT AN APP Follow iMore(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/all.js#xfbml=1&appId=213678485361751"; fjs.parentNode.insertBefore(js, fjs);}(document, 'script', 'facebook-jssdk'));Follow @iMore!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");
![Follow iMore on Facebook](/followfacebook2x.png)
![Follow iMore on Twitter](/followtwitter2x.png)
![Follow iMore on Google+](/followgoogleplus2x.png)
Google+
![Subscribe to iMore on RSS](/followrss2x.png)
RSS
![Subscribe to iMore on YouTube](/followyoutube2x.png)
YouTube
![Subscribe to iMore on iTunes](/followitunes2x.png)
iTunes Shop iMore
THE #1 ACCESSORY STORE | 2 MILLION+ ORDERS SHIPPED
![FAST, FREE SHIPPING On orders over $50 with the US](/shopfreeshipping.png)
![Apple iPhone 5 Apple iPhone 5 Accessories](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\1444_98x169.png)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\cb_header_phones_shadow.png)
![Apple iPhone 4S Apple iPhone 4S Accessories](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\1456_98x169.png)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\cb_header_phones_shadow.png)
![Apple The new iPad Apple The new iPad Accessories](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\1513_98x169.png)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\cb_header_phones_shadow.png)
![AppleVerizon iPhone 4 AppleVerizon iPhone 4 Accessories](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\1379_98x169.png)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\cb_header_phones_shadow.png)
![Apple iPad 2 Apple iPad 2 Accessories](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\1385_98x169.png)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\cb_header_phones_shadow.png)
![Apple iPhone 3GS Apple iPhone 3GS Accessories](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\1253_98x169.png)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\cb_header_phones_shadow.png)
THE #1 ACCESSORY STORE | 2 MILLION+ ORDERS SHIPPED
![FAST, FREE SHIPPING On orders over $50 with the US](/shopfreeshipping.png)
![iPhone 5 review iPhone 5 review](/sidebariphone5review2.jpg)
![iPad mini review iPad mini review](/sidebaripadminireview.jpg)
![iOS 6 review iOS 6 review](/sidebarios6review2.jpg)
![iPad 3 review The definitive iPad 4 review](/sidebaripad4review.jpg)
![Downloads the iMore apps now! Download the iMore apps now!](/imoreappssidebar15.jpg)
![Rene Ritchie, editor-in-chief](/aboutreneritchie.jpg)
Rene
![Georgia, senior editor](/aboutgeorgia.jpg)
Georgia
![Leanna Lofte, app editor](/aboutleannalofte.jpg)
Leanna
![Chris Oldroyd, news editor](/aboutchrisoldroyd.jpg)
Chris
![Ally Kazmucha, ninja](/aboutallykazmucha.jpg)
Ally
![Simon Sage, Games Editor, Editor-at-Large](/aboutsimonsage.jpg)
Simon
![Chris Parsons, editor-at-large](/aboutchrisparsons.jpg)
Chris
![Michelle Haag, writer](/aboutmichellehaag.jpg)
Michelle
ABOUT iMORE Wear iMore
![Order your iMore, Iterate, and Debug t-shirts now! Order your iMore, Iterate, and Debug t-shirts now!](/sidebart-shirts2013.jpg)
CrackBerry, iMore, webOS Nation, and WPCentral
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\tipb_182x101.jpg)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\rss_teaser_25dc76da64.jpg)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\mbn2-android.png)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\rss_teaser_514e1e27bc.jpg)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\mbn2-crackberry.png)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\rss_teaser_2ad2ee3679.jpg)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\mbn2-wpcentral.png)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\rss_teaser_580dc6b8fc.jpg)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\mbn2-precentral.png)
![](C:\Program Files\ABS\Auto Blog Samurai\data\New Mobiles Application\2323fdf\rss_teaser_9597b91a7a.png)
0 comments:
Post a Comment