Metasploit software developer Joe Vennix has detailed a vulnerability in Safari’s webarchive file format along with how it can be exploited. The post on Rapid7 says that after being reported to Apple back in February, the bug was closed last month with a status of “wontfix”, indicating that Apple has no plans to address the bug. So what is it and why is that?
The bug found in Safari’s security model is a lack of restriction on what data can be accessed by files in a web archive. Normally a page like apple.com would be restricted to reading cookies that belonged to only the apple.com domain. It could not read cookies from another domain, such as gmail.com. This is critical because if all of your cookies were readable by any website, it would be trivial for a malicious site to send your cookies back to an attacker, who could then log in to your accounts on any number of websites. In the case of Safari’s web archives, it’s possible for a malicious web archive to not only access content stored by another site, but potentially any file on the victim’s computer.
With such a serious sounding vulnerability, you might be wondering why Apple wouldn’t want to fix it. The answer seems to be that an exploit like this cannot be accomplished without user action. You couldn’t actually be affected by this unless you were to download and open a malicious .webarchive file. Users can avoid being attacked by employing the age old advice of not opening strange files from the Internet (or anywhere else for that matter). That said, some people still do and surely will continue to do so. Given the potential impact of a vulnerability like this on users, it certainly seems like something Apple would want to fix at some point.
If you’re interesting in understanding more about how this bug works or can be exploited, Joe’s blog post covers several real world examples of how it could be used.