@methodshop

I am not a developer. Nor am I a security guru. And quite frankly I don't know my way around Unix, WebKit or Core Image. But I do know when there is an issue involving the aforementioned areas that needs to be addressed.

This.....whatever this is, needs to be addressed by Apple. And quickly.

The lowdown; apparently drunkenbatman, of drunkenblog.com fame, has brought to light a flaw/vulnerability/hole/giant boo-boo in the way apps based on WebKit and WebCore handle certain images. It crashes them. Completely, unapologetically, and without prejudice, smacks them down like a red headed stepchild.

Drunkenbatman does a better job than I ever could of expounding on why discoveries like this one hint at an OS that may not be quite as secure as we all like to believe. So rather than stumble around attempting to provide my own explanation of what this is all about, I will paraphrase his post on the subject below (please keep in mind the image referenced in the following bullet points is not included in this post, for reasons that will become apparent to you soon enough);

• the image below crashes anything webkit-based in a very hardcore way. Actually, it crashes anything using ImageIO in a hardcore way, which includes the Finder and Preview.app and apps based on Webkit and WebCore...
• It's remarkably similar to the Safari Image of Doom™ from awhile ago, although this time ImageIO seems to be choking during an EXIF routine, so I won't rehash what I said there. However, a few thoughts...
• This particular image (and ones like it) are already floating around on the web. It wasn't "created" to show off a flaw.
• While it's hard not to notice that an image is once again taking out Safari (and it isn't as though the Finder needs much of an excuse to trip over itself) and there is inconvenience there, it should be thought of as a security issue first and foremost.
• Applications out there which aren't hitting the crashiness have all basically rolled their own support instead of using what Apple provides. You are able to open the image with Photoshop, and Graphic Convertor, and of course things like Camino and Firefox will view this page just fine. If a developer can't trust Apple's included solution to be robust, there's little point in throwing it in aside from bullet points.
• Don't underestimate the above, nor how widespread the problem is throughout OS X. As an example, I have yet to encounter a developer needing to use SOAP services in a serious way on OS X that hasn't given up on what Apple's provided to the point where they just write their own stack.
• I haven't met anyone within Apple that's been around awhile who wouldn't admit over beers that they'd be mighty nervous dropping OS X as it currently stands into the orgy Windows swims in, so I'm always amused at what shows up around the web, and less amused by the pundits feeding it to them.
• I haven't dropped a lot of time into this since I came across it, but did ask around and was told it'd been reported as bug #4485821 in Apple's system. No clue as to the status/resolution.

DrunkenBatman's post has already elicited a wide range of responses from his readers, many of which I assume are just upset that DB saw fit to actually include the aforementioned "Image of Death" directly in his post, crashing countless instances of Safari, NetNewsWire and the like (count me among the afflcited, as my NetNewsWire promptly crapped the bed as soon as I clicked the link to his post).

From drunkenbatman;

"I'm aware many people who have the site in their feeds will be trying to access it via something based on WebKit/WebCore. Safari may have crashed, and you lost all your open tabs. You may have had your RSS reader up, and opened up some links in tabs, and down it all went. Read whatever you will into the fact that while these things did occur to me, I'm attaching it inline instead of linking to it separately anyways."

I will not include the image in question, as I rather not tempt the regular readers I do have to delete StationA from their list of RSS feeds as retribution for my transgressions. But if you just have to see the bug in action click (Let me be clear; Safari WILL crash if you click the following links, there, consider yourselves warned) here or here.

It may be naive of me, but despite the unsettling ease with which a graphic can bring to its knees some of the very core applications in OS X, namely the Finder, Preview, and Safari, I am still unconcerned about the overall implications of such a flaw. Don't get me wrong, I understand just how significant a discovery this is. And how in the right, or wrong hands depending on how you look at it, coding bugs such as this one can be manipulated in ways that could conceivably result in security breaches Mac users have, to date, felt invulnerable to. But I am not worried. Maybe it's because it has been a long day, I'm beat, and I am finding it hard to muster up enough concern to be afraid of flesh, or OS, eating images on the web. Maybe it is because I have become one of those unreasonably smug Apple users I hear so much about on pro-Microsoft websites (no seriously, there are some). Perhaps it is because I rubbed the bald head of my pure ivory Steve Jobs statue three times this morning for good luck. I really can't say.

What I do know is that Apple has assigned this vulnerability a bug number, and that # is 4485821. Which means the people who need to know about it, do. We're in good hands. In fact I have no doubt that his Steveness deprived some engineer well deserved quality time with the family to address this unfortunate occurrence as quickly as possible, and is more than likely doing so as I write this post. That Steve, what a guy!

Maybe when I wake up in the morning I will feel differently about how secure OS X is. Maybe. But honestly, I don't see that happening.

- AH

[Via StationA.net]