Safari/Firefox spoofing vulnerability (#2): Problems with SaftLite, SAFT plug-in; more

Yesterday we reported on a new Safari (and Mozilla) spoofing vulnerability, which could allow malicious parties to obtain sensitive information by masquerading as legitimate, recognized Web sites.

When the flaw is exploited, a seemingly valid URL is displayed, though the site's content does not reflect that URL. This occurs because of an interesting set of circumstances afforded by browser support for Unicode/UTF8 domain name resolution.

Essentially, the address appears as normal text, but actually consists of Unicode/UTF8 code characters.

Problems with SaftLite, SAFT plug-in Shortly after this flaw was noted, Mac developer Hao Li released a plug-in called SaftLite that alerts users when this vulnerability is being excluded.

Li also updated his shareware utility SAFT, a full-featured plug-in for Safari that allows kiosk mode and other operations, to address the vulnerability. Unfortunately, readers are reporting stability problems stemming from both offerings.

MacFixIt reader Nathalie Sato writes: "Downloaded and installed plug-in, and then Safari kept quitting. So removed plug-in and Safari worked as it should."

UPDATE: The developer of SAFT and SaftLite has posted a message to his Web site explaining what is causing the crashes and how the issue can be resolved:

"Saft and Saft Lite's IDN spoofing detection is known to patch the same place as PithHemlet and DownloadComment, and causes Safari to crash with one of these plugins installed together.

"As stated before: as the nature of Saft, which is a plugin to patch certain funtions in Safari, no compartibity with such plug-ins is guaranteed. [...]"

Jonathan Chuzi writes "I downloaded and installed SAFT 7.5.1 to update from version 7.5.0. Safari crashed and I had to force-quit when I attempted to access the NY Times or eBay. The problem was repeatable after relaunching Safari and also after a restart. These pages loaded fine in Firefox and I narrowed the culprit to SAFT. After removing SAFT from Library/Input Managers, the problem disappeared."

OmniWeb shows true URL in tab drawer MacFixIt reader Aubrey Vaughan notes that Omniweb 5's tab drawer (when expanded) shows the true URL rather than the spoofed version.

Invulnerable browsers Robert DeVoe reports that the browser iCab (v2.9.8 and v3.0) do not appear to be spoofed:

"they give the connection error message 'Server 'www.xn--pypal-bwe.com' is unknown!' (v3.0) or 'Not found' (v2.9.8) rather than the 'meeow' page (Safari).

Older versions of Safari are also unaffected. Anthony Burokas writes:

"The hoax URL does not work in Safari 1.0.3 in 10.2.8. All I get is 'Server not found.'

Finally, most classic Mac OS browsers appear to be immune.

A reader writes: "It turns out the old OS 9 Mozilla 1.2.1 isn't fooled by the exploit either. It reports www.p?ypal.com URL of the proof of concept site isn't resolvable."

Feedback? Late-breakers@macfixit.com.

Resources