Archive for June 29, 2016

Wednesday, June 29, 2016

Safari 10 Brings Native App Extensions

Daniel Dilger (via Dave Mark):

Like previous App Extensions, the new architecture defines a broad Extension Point for Safari that allows third party developers to add new functionality to Safari, both to read and modify web page content (such as translating text into another language) and to communicate back and forth with a native app to integrate app data into Safari or to get web data into an app.

Developers can extend the Safari user interface by adding a toolbar button to execute a command or display a popover window, add a contextual menu item, inject a style sheet that alters how web pages are presented (such as modifying fonts used or text sizes), or inject JavaScript that changes how a page behaves or enables it to communicate with the app extension.


More importantly, the new App Extensions architecture enables developers to distribute Safari Extensions as part of their app through the App Store.

Safari App Extension Programming Guide:

Safari app extensions are available in OS X 10.12 and later and in OS X 10.11.5 when Safari 10 is installed. Using a Safari app extension, you can add new functionality to Safari, read and modify web page content, and communicate with your native application to integrate its content into Safari or send web data to your app.

Safari app extensions are written using a combination of JavaScript, CSS, and native code written in Objective-C or Swift.

Input Masks: Violating User Expectations

Lukas Mathis:

Because there are no standardized, widely accepted behaviors for input masks, it’s best to avoid «magical» behaviour (e.g. automatically entering characters that the user did not type), or, if you do need magical behavior, also account for user behavior that does not expect magical behavior.

For example, if the field auto-tabs to the next field, and the user also tabs right after filling in a field, it might be best to ignore the user’s tab.


If you create a new control that kind of looks like an existing control, the new control should not violate people’s expected behavior of the existing control. In other words, text fields with input masks’ behavior should be as close to a normal text field’s behavior as possible.

A Year of Windows Kernel Font Fuzzing

Mateusz Jurczyk:

To most readers of this blog, the fact that fonts are a very significant attack vector does not have to be reiterated. There are a number of different file formats in active use. These formats are extremely complex, both structurally and semantically. As a result, they are correspondingly difficult to implement correctly, which is further amplified by the fact that a majority of currently used font rasterizers date back to (early) 90’s, and were written in native languages such as C or C++. Controlled font files are also deliverable through a variety of remote channels – documents, websites, spool files etc. Last but not least, the two powerful virtual machines executing programs describing glyph outlines in the TrueType and OpenType formats have proven vastly useful for creating reliable exploitation chains, thanks to the ability to perform arbitrary arithmetic, bitwise and other operations on data in memory. For all of these reasons, fonts have been an attractive source of memory corruption bugs.


If nothing else, the effort and its results are evidence that fuzzing, if done correctly, is still a very effective approach to vulnerability hunting, even with theoretically “mature” and heavily tested code bases. Furthermore, the two bug collisions prove that Windows kernel font bugs are still alive and kicking, or at least were actively used in the wild in 2015. In the second post of the series, we will discuss the meaty parts of the research: how we prepared the input corpus, mutated and generated interesting font samples, fuzzed the Windows kernel at scale, reproduced the crashes and minimized them.

Vintage Macworld Magazine Library

VintageApple (via Clark Goble):

There is no better depiction of the history of the Macintosh than the old issues of MacWorld Magazine.

For your reading pleasure is a complete MacWorld Magazine collection from 1984 through 1994.

Color scans in PDF format. I really enjoyed flipping through some old issues of Macworld (note the capitalization) recently before recycling them. The ads, in particular, are very different from what we’re used to seeing now.