My Jesus has street cred (aka, Do not read this post in Safari. Again.)
I was really surprised to see the following bit of Javascript show up in the comments of a previous post, and waited awhile to see if it'd get picked up by anyone, but it didn't, so here we are. While I knew Apple knew about it internally for quite awhile, I hadn't yet seen it floating about in the wild -- and I wasn't at liberty to say anything as sometimes part of getting to know something is not being able to talk about it without making the life of the person who passed it on very difficult.
I'm also including it as a separate file for your perusal, as it nails Safari and other things allowing Javascript via WebCore and WebKit. Again, while I know Apple knows about this particular issue (I.E., it's in their system, and fixed in the nightly builds, which means this page won't crash in a forthcoming version of Safari) my knowledge of its existence just included sample code and that they were aware of it...
I got curious as to how this person stumbled across it, and whether they were the original reporter of it to Apple as I didn't know the timeframe for how long Apple's known, so I gave Brent Traut a ping. Nice guy, was fine with my including his name and a link, and our conversation turned up:
- Brent found the nastiness at torrent-finder.com, via these steps:
- Search anything
- Click on the "New Nova" link
- Boom go Safari
He then whittled down the issue to that small bit of scripting, and submitted it to Apple.
- He wasn't sure when he'd found it and reported it, and it turned out he'd sent it in via consumer channels under the common misconception a human would see it.
- I asked for the creation date of the script on his server, which would at least give us a ballpark figure: His Killsaf.html was created on January 21, 2006.
While I know Apple is aware of it, without the radar number and date, there's only so much to infer. If he found it independently from what's in Apple's system, he went above and beyond what most users would do -- and it's another data point that those channels available are entirely ineffectual. Otherwise, a human did see his submission, and it's gone unfixed for months. Eww all around.
A few additional notes...
- Just because you're unaware of this stuff doesn't mean it's not there, and be under no illusion that there's not more floating around. I care less about another thing that can take down Safari and more about what you're not aware of.
- There's a lot you're not aware of, simply because Apple would prefer you're generally not aware of these things. I know I'm always amused by someone ranting about how APE or mach_star will bring about security Armageddon on a normal user's system as soon as a script kiddie finds them -- without realizing that more than those two projects are doing code injection in some form.
There's a bunch of apps that have rolled some form of the functionality on their own, and even entirely separate code injection projects going on -- in some cases no one knows how they're being used or why the exist. I don't lose sleep over it, but knowledge that these types of things exist certainly changes how I view some things, although you shouldn't interpret this as more than a data point meant to illustrate a point.
- Since the original Safari Image of Doom and Deja-Doom, around 10 image-related vulnerabilities cross in front of my eyes (Primarily because people bring them to my attention after seeing the posts). Apple is aware of them all, and some have been fixed, and they'll all (hopefully) get fixed eventually, but there's no real guarantee on the timetable. Most importantly, that it's going on to the degree it is should be serious cause for concern, whether it can be further exploited or acts as a DOS.
- When your neighbor's house catches fire due to faulty wiring after someone plugs in a space heater, you don't break out the marshmallows -- you check your damned wiring in case someone plugs in a space heater. Similarly, when another platform gets smacked by an issue, the correct response is not "Haha," but rather "Could we get hit by something like this, and if not, why?"
I.E.:
- Does the technology used to produce the code make us immune?
- Does the quality of the code we're using make us immune?
- Do the design decisions in the code we're using make us immune?
Not asking the questions because you don't want to hear the answers to them (or be forced to rethink what you've adopted from a pundit) doesn't make you any less vulnerable, it simply makes you less informed. To be fair, ignorance can often be more comforting in the short run. Hint: In the grand scheme of things, OS X and Windows are more alike than they are different now, because of the decisions they've made to accommodate the user.
"Unix Foundation!" is often pointed to as the panacea, however:
- Most of the scary stuff that's come out has been introduced via code Apple's tacked on top of the hardcore unix underpinnings.
- Unix and its systems of permissions plays a very small role when it is systematically dismantled in order to make things more convenient for a single user, especially when the whole system essentially spreads its legs wide for whatever is pushes its way over the network.
- When what immune system that is there is compromised due to fragile code pushed out the door to make a ship date, your likelihood of getting sick is more and more of a numbers game, adding up to the same calculated risks Microsoft originally took (and was subsequently burned by, causing a massive pause in development and an entire reorientation on how their software is developed and tested).
Now it's entirely fair to say you do lower your probability of getting sick by using OS X right now compared to Windows, however that probability should be drastically lower than it currently is, and the situation is getting more and more dangerous. Deciding everything is A-OK because viruses aren't in the wild yet is akin to deciding you don't need to do backups because you've never had a hard drive die.
Stuff is shipping that just shouldn't be in its current form, providing plenty of ways for those with the will and just hoping to God those with the will aren't paying attention. As a user you may be unwilling to demand better, and even prefer not to even know that it could be, but you for damned sure shouldn't be throwing stones.
Posted by drunkenbatmanApril 12, 2006, at 12:25 PM
Comments (61)
Posted by: Simon at April 12, 2006 01:08 PM
You f***ing f*ck, f*ckity, etc. Could you stop killing NetNewsWire.
Oh, wait, it remembers everything on restart ... I guess I'm fine then.
Posted by: Denis Defreyne at April 12, 2006 01:09 PM
Doesn't crash in WebKit nightlies! Woohoo!
Posted by: fulan at April 12, 2006 01:10 PM
Doesn't Omni use a modified version of webkit?
Posted by: dustin at April 12, 2006 01:11 PM
Aye, it crashed my Safari. My tabs! Oh, the woe...
Posted by: Ryan Green at April 12, 2006 01:24 PM
Also, you should add "also borks IE". It doesn't make it implode, but it just errors and doesn't display your page. Stupid work with your stupid windows...
Posted by: Aaron at April 12, 2006 01:25 PM
This post borked IE6 on a PC. It's not supposed to do that, is it?
Posted by: Nate at April 12, 2006 01:27 PM
I read the title in Safari's RSS reader, savvily copied the link, opened FireFox and, while I watched the bouncees, CLICKED THE DAMN LINK in Safari anyway. Oy...
Posted by: todd at April 12, 2006 01:28 PM
ie7 beta2 also borks. oops.
Posted by: Gareth Potter at April 12, 2006 01:34 PM
Aha! I was wondering what I did wrong when viewing your previous post.
Makes more sense now. :D
Posted by: btn at April 12, 2006 01:37 PM
"Do not read this post in Safari" is apparently NOT sarcasm.
Posted by: lixlpixel at April 12, 2006 01:41 PM
well - there are other things Apple knows about - since several month actually...
http://lixlpixel.org/safaricrash/ for example still crashes Safari.
and that's after two or three new versions of Safari were shipped.
Posted by: Daniel Brauer at April 12, 2006 01:56 PM
It's funny that the main usefulness of RSS in Safari so far for me has been to save WebKit from choking on drunkenblog. And drunkenblog serves as a reminder that I should run a backup now.
Posted by: O-(^_^ Q) at April 12, 2006 01:57 PM
We can blame this one on KHTML.
Posted by: Anthony at April 12, 2006 02:38 PM
Much like that text field problem when Tiger came out, you appear to be one of the only people willing to rock the boat on QA issues.
Even if you're pissing people off, don't ever think that there aren't those of us that appreciate it.
Posted by: arwenwitch at April 12, 2006 03:15 PM
Just done some testing... OK, Safari doesn't support DOM properly but I can't see anything dangerous there. Replace KillSafari by anything you like (i used eatPotatoes) and it will also crash.
For those who would like to know more about the DOM, here's an easy-to-understand explanation:
http://www.pageresource.com/dhtml/ryan/part4-1.html
Posted by: Tonio Loewald at April 12, 2006 03:51 PM
"Safari doesn't support DOM properly but I can't see anything dangerous there."
Actually, I'm not sure that the DOM specification indicates that this code should work.
JavaScript is interpreted, and the code is essentially "delete me". (It overwrites itself. The program counter then presumably looks for the next statement in the script to execute, fails to find it, and then crashes.)
This is a common failure condition in interpreted languages and while unfortunate, really shouldn't surprise anyone. Yes, Safari should handle it more gracefully, but I'm not sure that it should be considered clean code (FireFox has no issue with it.)
Note that in almost any runtime environment self-erasing code is non-trivial and a naive implementation will generally fail. E.g. an executable that attempts to delete itself will discover its file is locked (on a Mac).
Posted by: Tonio Loewald at April 12, 2006 03:52 PM
Oh and it generates a runtime error in IE7 beta.
Posted by: Tonio Loewald at April 12, 2006 03:56 PM
And knowingly posting stuff that's going to crash folks' browsers was dumb the first time, and getting old and dumb now. Crashing web browsers is (too) easy.
Posted by: Nick at April 12, 2006 04:13 PM
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 it works fine
In Internet Explorer v6.0.2900.2180 it puts up a dialog box with "operation aborted"
Posted by: Arwenwitch at April 12, 2006 04:14 PM
AGAIN: NOTHING TO WORRY ABOUT!
If you go to the link I send you will see this code is used to target layers. The KillSafari has NOTHING to do with the crash. You can replace that "fake command" by something as harmless as smellFlowers and Safari will crash. I also corrected the syntax "smellFlowers" instead of 'smellFlowers', just in case and Safari still crashes.
This bug, if annoying, is just but another DOM bug and developpers know about it:
http://bugzilla.opendarwin.org/show_bug.cgi?id=8080
Please, next time, investigate before alarming people with bugs that have nothing to do with security!
Posted by: at April 12, 2006 04:19 PM
If you go to the link I send you will see this code is used to target layers. The KillSafari has NOTHING to do with the crash. You can replace that "fake command" by something as harmless as smellFlowers and Safari will crash. I also corrected the syntax "smellFlowers" instead of 'smellFlowers', just in case and Safari still crashes.
Oh. My. God. What does this have to do with anything?
Please, next time, investigate before alarming people with bugs that have nothing to do with security!
Google "denial of service"
Posted by: Robb Irrgang at April 12, 2006 04:20 PM
Nothing but respect for your blog, but this thing also crashes my RSS reader, Vienna, which automatically hopped to the most recent unread post (this one).
Again, like a lot of people said last time—what's stopping you from making it a linked file instead of your actual blog post? Quite annoying, and enough reason to take drunkenblog out of my feed reader. You probably won't miss me, but seriously…this shit's getting old.
Posted by: Steven Fisher at April 12, 2006 04:21 PM
Last I heard, OmniWeb used WebCore but not WebKit. I don't think it uses JavaScriptCore.
Posted by: Steven Fisher at April 12, 2006 04:37 PM
Just looking through Bugzilla, there are a lot of unfixed crashers. Of course, not all of those are deployed in a release build of Safari (though not many of them are marked as regressions)... but then again, not all the ones already fixed have had their fix deployed.
Posted by: Arwenwitch at April 12, 2006 05:05 PM
What does it have to do with anything?
Using killSafari as an ID is misleading. For those who are not familiar with scripting it looks as though this script can trigger Safari the same way a Terminal command would. Furthermore when Drunkenblog describes that bug as if it were a security issue Apple was hiding from us or was not addressing. That's what I wanted to clarify.
Again, this is a simple bug and there's nothing new in the fact that Safari has problems to handle javascript. I regularly experience crashes on scripted sites that Firefox has no problems with. Safari is a good browser but still needs improvement. No browser is perfect!
Posted by: Rosyna at April 12, 2006 05:23 PM
The nightlies.. they are your lover. Make them mine?
Posted by: Ben Donley at April 12, 2006 05:35 PM
As a user you may be unwilling to demand better, and even prefer not to even know that it could be, but you for damned sure shouldn't be throwing stones.WTF do you mean by that? Are you upset with all the people saying that you shouldn't report bugs in public? Because I don't remember hearing that.
Posted by: Wonko at April 12, 2006 06:14 PM
No surprise this kills Shiira too, which is why I keep iCab around.
Posted by: drunkenbatman at April 12, 2006 06:56 PM
ie7 beta2 also borks. oops.
Noggle, I wondered if someone would catch that by the time I'd awoken from my nap. A Microsoft employee informed me a bug has been filed against it.
Posted by: Peter da Silva at April 12, 2006 07:30 PM
Db writes: "In the grand scheme of things, OS X and Windows are more alike than they are different now, because of the decisions they've made to accommodate the user."
Speaking as someone who's been pointing out the chunks of sky lying around for the past couple of years, and who's been trying to get people at Apple to reconsider just one of the poor decisions they've made in Safari, I think that's going a bit overboard.
The deep and unfixable problems inherent in the design of the microsoft HTML control are a whole different kind of problem than the ones I've found in Safari, and that includes memory corruption crashes in image parsers as well as my favorite... the idea that there are "safe files". IE gets those as well... but nothing I know of except IE has to deal with "security zone" attacks.
Posted by: bonaldi at April 12, 2006 07:59 PM
FFS, DB, twice is taking the piss. It's not even as if you have the defence of "I need to tell p30pl3 about this" because *it's already fucking fixed in the nightlies".
Utterly childish, this time.
Posted by: Ben Donley at April 12, 2006 08:36 PM
It was childish both times. He apparently despises his readers. At least a large segment of them.
Remember way back when some researcher asked DB for anonymized log files for records of a slashdotting? He asked whether his readers thought that was ok. I have no idea what compelled him to ask such a question, as the information provided by you to DB (minus your IP number) cannot be described as private in any way.
Did his opinion of us change significantly, or does he just have extremely poor judgment about what is and is not ok with his readers?
Posted by: Daylight_Savings at April 12, 2006 09:34 PM
"Did his opinion of us change significantly, or does he just have extremely poor judgment about what is and is not ok with his readers?"
Is it his duty to service his users or himself?
NNW and Camino user. No crashes. Maybe I would different if I had crashes. I don't think so though. If it crashed Camino, I would open Safari to view. Why should he tiptoe around what crashes Safari? Are Mac users so spoiled they expect the world to work around their software limits? He seems to have his reasons. I wish he would detail them, but when he has in the past later he said why he could not later. Maybe it is important. Maybe it is not, and just a fuck you. Maybe he is the one person with a blog wanting less readers. Maybe he decided he does not want Mac users reading anymore. Maybe he gets a kickback percentage of Camino and Firefox downloads. Maybe he did it a second time as a message the first time was for a reason even after 200 people called him names. Maybe he did it a second time so those whining would see it would not change and leave? Maybe Microsoft is paying him. Maybe he shorted APPL stock. Maybe he is the one blogger that does not care how many readers he has. Maybe it is one big psychology experiment. Maybe he is the anti christ. Does it matter if there is not a gun to your head to come read this site?
Posted by: Tonio Loewald at April 12, 2006 10:02 PM
"...Does it matter if there is not a gun to your head to come read this site?"
Nope, and you're entitled to post idiotic comments on his blog (until he disables them) as am I.
"And do endeavor to appear sane."
Sound advice, I think.
Meanwhile, I like db's posts in general, and I think it's important for people who are truly invested in the Mac platform to be critical of it. I just don't think that crashing folks' browsers (especially those who've bookmarked your site and visit it regularly) is terribly helpful.
Posted by: j at April 12, 2006 10:05 PM
Damn DB, now you're the anti-christ. Major props.
Posted by: bonaldi at April 12, 2006 10:43 PM
Are Mac users so spoiled they expect the world to work around their software limits?
Oh yeh, blame the victims.
Say there's a loose floorboard at work over a sewer pit. You find out about and tell the bosses. They say they'll fix it soon. Do you:
A. Put up a big sign warning everyone about it in the meantime
B. Pull it out and conceal the gap so that anyone walking over it falls up to their necks in shit?
DrunkenBatman chose B. The defence is that doing so will make the company fix it sooner. But this time ... it's already fixed! So there's no defence. At all. He's just being lame.
(And your post is like going up to the guy swimming in shit and saying "sheesh, are you so spoiled you expect the world to take care of you?")
Posted by: willc2 at April 13, 2006 12:38 AM
Crashes IE 2.5.3 in Tiger as long as Javascript is on.
Posted by: Art at April 13, 2006 01:44 AM
I stopped using Safari and Firefox about a month and a half ago (right about the time I bought an Intel Mini...hmmm) because of frequent and unpredictable hanging and/or crashing, before seeing the Picture-o'-Doom.
So, I ask you on behalf of all Camino users, can you find us something to crash our browser, especially since it's unique in lacking tab-saver support?
Pretty please?
Posted by: tom at April 13, 2006 02:05 AM
What is the point of these posts? Software has bugs?
You seem to think that the Mac OS has gotten buggier recently.. I think you just started paying better attention.
Posted by: Meat Magi at April 13, 2006 04:53 AM
I dunno about the rights and wrongs of this, and truly I can't be arsed to care that deeply, but all I know is that since I have Safari's RSS article length slider set to only show the site's title, this poxy link caused me to lose about 15 tabs I had lovingly clicked and was looking forward to reading. Sure, nobody died but going back through all the sites to re-open the tabs was just an unecessary pain in the ringpiece - Especially early in the morning.....
DB - It would be cool if you could maybe post a separate link on the page to the bad bit of code instead of making it crash the whole app right off the bat (no pun intended!). Would you consider that for the future?
Obviously I don't HAVE to view the site, but the point is that I enjoy it immensely and it would be nice to do be able to do so without this unsavoury behaviour from my browser, caused by deliberate insertion of something nasty in the page by your good self.
Cheers matey
Posted by: Richard Ashe at April 13, 2006 08:40 AM
I barely read up to Jesus in the title before it crashed Shrook, my RSS agregator. Camino seems healthy though. Thanks for the heads up.
Posted by: the powerbook king at April 13, 2006 03:02 PM
way to go DB! ignore the naysayers and the MacMacs.
Posted by: Bahi at April 13, 2006 07:55 PM
Ah, the lost tabs, the lost seconds.. it took most of you more time to post your laughable responses than it did to reopen your tabs. Get real. Coffee may be hot. Be thankful that someone here is a) pointing our what needs to be fixed and b) getting the people who can do something about it to see exactly how irritating its effect is and to do something about it. There is no overlap between the whiners here and the people who want to and need to know exactly what's broken and how.
Posted by: tom at April 14, 2006 12:07 AM
I hope we get some more emails from Wincent about this one...
Posted by: Joel at April 14, 2006 03:00 AM
I'm pretty sure you can prove a point without resorting to crashing a browser...
I want to read your blog and use my prefered browser.
If it came down to a choice between the two, my browser would win. There's plenty of other blogs that dont force me to use another browser.
Posted by: MACC at April 14, 2006 06:29 PM
On the windows side I can't veiw this with Sbc yahhootie browser nor the AOL explorer browser thing. But have no problem with firefox
Posted by: apt at April 15, 2006 04:11 AM
2 Bugs down, so I guess there's only another 150+ safari-crashing posts to go before DB has covered them all...
Unless this is all just part of a larger scheme to get us to switch to Mozilla based browsers...
Posted by: Peter da Silva at April 15, 2006 11:15 PM
Pretty soon people are gonna hafta start reading this site using "telnet" and hand-crafted "GET" requests. :)
Posted by: Oudwei at April 16, 2006 11:21 AM
Either Drunky has no Windows users, or:
1. They all use Firefox
2. They all are 100 times more mature than his Mac readers
Posted by: AkumA at April 18, 2006 09:07 PM
I agree with the above who said the OS hasn't gotten buggier, you just started paying more attention. But not just you, everyone.
As their userbase grows, 2 things are going to happen. 1) Bugs will be found on an increasing basis, and 2) Apple will have to prioritize. I assume 2 to already be a factor in how fast bug fixes are released, and with the growing complexity of their software (and everyone's), there becomes a need for tighter control on when fixes are rolled out. In my company, we had been fixing bugs and rolling them out as soon as they passed regression testing until it seemed like every other week we had a release. Not only was it difficult to support this process, but the users bitched too.
Why should Apple release a fix as soon as they have it if it only affects a small percentage of users? That is, unless someone with a blog with several hundred thousand readers uses his credibility to bump up that percentage because he finds a particular bug annoying.
For this, I shake my finger at thee, DB.
But what I want to know is, why is all we are seeing of you lately a bunch of nit-picky rants about obscure bugs?
Not a thing about Boot Camp? Apple finally has a top performer (the MacBook Pro) and you don't even offer props? Don't be so bitter. Nothing is perfect.
Posted by: Egypt Urnash at April 19, 2006 12:33 PM
Dude. Way to drive your casual readers away.
I look at this blog every once in a while by coming here in Safari - I don't use RSS.
Right now, what I see when I come to drunkenblog.com is two Safari-crashing posts. Right there in the front, with no chance to do anything about it. Not behind a 'Continue reading...' or anything. Or rather, what I see is Safari crashing.
Are you trying to destroy any and all credibility you've built up as a Mac Pundit? Sure, publicize the bugs, fine. Drive away your casual audience, not so smart. Next time I think 'I think I'll go see what drunkenbatman is talking about, he's an interesting read now and then', I'll remember that you took down Safari and all the tabs I had open twice, and I probably won't bother switching to Firefox... and I probably won't type that address in the URL bar, either.
Posted by: EEK! at April 19, 2006 07:40 PM
Everytime I see someone bitch that DB keeps blowing up webcore I just smile and think how happy I am that I made the switch to Firefox as primary browser. Thank you MW. Thank you DB.
http://www.macworld.com/2005/09/reviews/browserrdp/
Posted by: engrish at April 19, 2006 10:35 PM
Dude. Way to drive your casual readers away.
You need something to read? Anything? Go to http://www.rixstep.com. :-)
Posted by: Don Lope de Aguirre at April 20, 2006 06:45 PM
DB, in the words of Jon Stewart, you're "a bit of a dick."
Bookmark deleted.
Posted by: Hello Kitty at April 21, 2006 08:51 AM
Quick!
Send the javascript in an email to Wincent Coliuta!
Posted by: Stephen Deken at April 26, 2006 10:53 PM
Woah, both crashers gone. Why the change of heart?
Posted by: Old Europe at April 27, 2006 01:51 PM
Oh boring. Where is the quarrel? Where is the interesting stuff that made db worthwhile reading?
--Œ
Posted by: Troy at April 29, 2006 03:10 AM
Also kills Internet Explorer for Mac.
What do you mean no one cares?
Posted by: Joe at May 3, 2006 01:22 AM
Time to clean up my bookmark tabs. This shit's out.
Please go fuck yourself.
Posted by: DWalla at May 4, 2006 02:31 AM
Well... being the lazy person that I am I haven't bothered reading every single comment to see if someone else has reported this. I'm running latest Webkit (via NightShift 1.4 auto-updates) and this bug has been squashed. So I suspect that there will be a patch update for Safari shortly with the bug fix.
Now you can all sleep in peace.
This post does not crash OmniWeb Version 5.1.3 (563.66), which also uses the WebKit framework. (Though it crashes Safari here too...)