Apple has just released version 3.01 of their Safari web browser, together with some release notes on their Security-announce mailing list. As you can see from those release notes the vulnerability that I discovered is one out of three that have been fixed, and as far as I can tell right now the vulnerability has indeed been fixed.
Quotes and whitespace is now filtered on any requests to external URL protocol handler applications, but other characters are still being passed without filtering so I expect to find some variations pretty soon 
I want to congratulate Apple for fixing a serious security vulnerability in such a short time frame. Their usual response time can be counted in weeks to months. When I emailed them about the vulnerability it took them 2 days to even respond, which only happened after I asked for a non-automated reply. When I filed a bug on the WebKit tracker, bug 1481, nothing happened for a day except that some guy from ‘gentlyusedunderwear.com’ added himself to CC.
A beta version stays at the same version number until it is complete, so I guess this is positive confirmation that Safari 3 is not intended as a beta release.
As for myself, I am currently at work and will have to wait for some hours before I can dig really deep into the updated version of Safari.
Cheers
‘I guess this is positive confirmation that Safari 3 is not intended as a beta release.’
Either that or Apple are a wee bit confused.
[...] confirms the bug has been fixed but suggests there may still be some related problems: Quotes and whitespace [...]
Apple Updates Safari for Windows…
In an un-Apple like fashion they have released an updated version of Safari rather quickly. The description in the software updater:
Safari Beta 3.0.1 for Windows is recommended for all users and improves its security.
Wow, this means they admit Sa…
[...] Apple for fixing a serious security vulnerability in such a short time frame,” he wrote in a blog posting. “Their usual response time can be counted in weeks to [...]
[...] Apple for fixing a serious security vulnerability in such a short time frame,” he wrote in a blog posting. “Their usual response time can be counted in weeks to [...]
You rule dude! Just found your blog.. dig the way you are real.
[...] Apple for fixing a serious security vulnerability in such a short time frame,” he wrote in a blog posting. “Their usual response time can be counted in weeks to [...]
[...] …dijo tío Steve en algún lugar de la WWDC, y quizás contra Internet Explorer le resulte (en fallos, como contó pancho) pero contra firefox, un poco difícil. Cuatro días después de haber lanzado el primer ehhrgrg uhmm ¿beta? de Safari para windows, y haber parchado los no uno, ni dos, si no tres bugs con esta nueva -y mejorada versión- se vuelve a poner en duda. [...]
[...] impressive - 3 days after the original release and the justified shit-storm that followed, 3.0.1 got out. Thor Larholm mentions his finding is no longer exploitable on this version [but still very much so [...]
[...] siendo “tan inestable y poco fiable como su predecesora”. Por su parte, Thor Larholm comenta en su blog que se encuentra ahora mismo en el trabajo y aún no dispone de tiempo para echar un vistazo a la [...]
They fixed five security issues, without crediting anyone of the bug finders.
There are additional vulnerabilities that has disclosed, reported to Apple (with no reply), and hasn’t been fixed:
http://www.rec-sec.co.il/2007/06/12/apple-safari-for-windows-vulnerabilities/#one
I see no point in that.
Cool, keep up the bug finding! It’s super super easy to do URL encoding, I’m somewhat shocked that they didn’t just use that function. And thanks for the extra explanation in the comments of the previous article, it became much more clear.
I believe Apple’s policy is not to credit researchers in security updates unless they practice responsible disclosure. Those that let Apple know about a security issue and provide some time window for a fix to be released before publishing details to the public are credited as you can easily see by looking at the details of Apple’s past software and security updates.
“Anon Ymous” is partially right, Apple will only credit researchers in their security updates if those researchers have given them advance notice and not released any information about that vulnerability until Apple has released a patch for the vulnerability.
Whether or not that is the definition of ‘responsible disclosure’ has been debated for many years. One thing that is certain is that the length of that time window for the patch release, whether it be days, weeks, months or years, is entirely up to Apples own discretion.
There are not that many enticing reasons for following a vendor procedure that is lacking in definition and can be changed at will.
I have definitely received proper credit for the discovery of this vulnerability by the security community at large.
Regards
Thor Larholm
And now 3.02 is out - while I think it is great that Apple reacts so quickly to all the security issues, it also gives a clear signal that their beta was more of an alpha… 3.0 simply was not ready to hit the users, but I guess Apple had to deliver something for their conference. Apple can pretty much get away with everything these days because (for some crazy reason) everybody is believing the hype surrounding the company.