Apple’s Safari Has Worse Security Than Internet Explorer [At Least in This Test]
The Project Zero team at Google has made an automated security testing tool available to the public that helped them find 31 security bugs across the 5 major browsers. While not a story relevant to anyone except those interested in open source security testing tools, the group also revealed that they found most of these 31 bugs in Apple’s Safari, calling the browser a “clear outlier”.
Safari seems to be in trouble
“Apple Safari is a clear outlier in the experiment with a significantly higher number of bugs found,” Google engineer Ivan Fratric, who is behind this automated security tool that spotted over 17 bugs in Apple Safari, wrote. “This is especially worrying given attackers’ interest in the platform as evidenced by the exploit prices and recent targeted attacks,” he added.
“It is also interesting to compare Safari’s results to Chrome’s, as until a couple of years ago, they were using the same DOM engine (WebKit). It appears that after the Blink/Webkit split either the number of bugs in Blink got significantly reduced or a significant number of bugs got introduced in the new WebKit code (or both).”
Apple has now received a copy of Fratric’s tool, which will hopefully help the company sort out the problems in its browser that is now being taken as probably the worst browser in terms of security issues.
“To attempt to address this discrepancy, I reached out to Apple Security proposing to share the tools and methodology. When one of the Project Zero members decided to transfer to Apple, he contacted me and asked if the offer was still valid. So Apple received a copy of the fuzzer and will hopefully use it to improve WebKit.”
More about Fratric’s Domato fuzzer
In the past few months, every security bulletin from Apple has mentioned the Project Zero team and specifically Fratric himself, mostly finding problems in WebKit. Fratric has been doing so using a new tool for testing browser DOM (Document Object Model) engines, which he is calling Domato.
Domato is a fuzzer that was designed to find security issues in Google’s Chrome, Mozilla’s Firefox, Apple’s Safari, and Microsoft’s Edge and Internet Explorer browsers. “DOM engines have been one of the largest sources of web browser bugs,” he wrote. Apparently, these bugs can be easily found by fuzzing – a process that involves feeding the software with random code (around 100 million times) in an attempt to cause crashes.
Here’s the number of security bugs found in each of these most popular browsers, with Safari taking a clear lead:
Google reported all the security flaws to the browser vendors, which were then fixed. The Project Zero engineer has now open-sourced the Domato fuzzer for the security researchers and the testing community, who can access the Domato code on Github.
Source: Great DOM Fuzz-off