Avast WEBforum
Other => General Topics => Topic started by: Marc57 on March 27, 2008, 08:56:50 PM
-
The new Safari 3.1 for Windows has been hit with two 'highly critical'(as rated by Secunia) vulnerabilities that can result in execution of arbitrary code. The first is due to an improper handling of the buffer for long filenames of files being downloaded, and the second can result in successful spoofing of websites and phishing. This comes close on the heels of criticism of Apple for offering Safari as a update for approximately 500 million users of iTunes on Windows by default, and reports of crashes. There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites."
http://apple.slashdot.org/article.pl?no_d2=1&sid=08/03/27/129236
Be Careful out there.
-
There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites."
Not using Safari would also cure this problem. :)
-
There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites."
Not using Safari would also cure this problem. :)
All Web Browsers Have Vulnerabilities. So Not Using the internet Would cure the problem
Safari on the mac usually gets periodic Updates to correct things like this as part of apples "Security Update 2008-xxx" patches. Id imagine they will do the same for the windows version through the Software Update Program.
-
So No using the internet would cure the problem
Mac that's not an acceptable alternative.
That would be the same as saying if you never get born then you don't have to worry about dieing ;D
-
Safari Illegal to Use on Windows? http://www.theregister.co.uk/2008/03/26/apple_safari_eula_paradox/ then
http://www.theregister.co.uk/2008/03/27/apple_updates_safari_eula/
After all that talk about Apple pushing the Safari “update” on Windows users (here and here), as it turns out, it’s actually “illegal” for Windows users to install it! Read the first sentence in the image below and you’ll see what I mean:
It very clearly reads in Apple’s License Agreement which you have to agree to before downloading Safari, that “This License allows you to install and use one copy of the Apple Software on a single Apple-labeled computer at a time.” The last time I checked, my Dell computer had no Apple label to be found on it! It looks like Apple needs to take some time to review all of their agreements now that they’re branching out and offering software to Windows users.
What’s even more funny is that when the License Agreement pops-up, it warns to read it carefully. Well, by reading it carefully it was discovered that PC users really aren’t supposed to be using it! It says in big bold/all caps:
PLEASE READ THIS SOFTWARE LICENSE AGREEMENT (”LICENSE”) CAREFULLY BEFORE USING THE APPLE SOFTWARE. BY USING THE APPLE SOFTWARE, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE, DO NOT USE THE SOFTWARE.
Maybe Apple is pushing Safari so hard because they’ll threaten all of the Windows users later on that they must switch to a Mac or face being sued? It looks like us software users aren’t the only ones that don’t read the agreement, apparently those who write it don’t read it either. This was clearly an oversight by Apple, and we imagine it’ll be fixed soon.
click on pic to enlarge ::)
-
i'm glad that safari is now legal to use on windows cause' i use it on my work mac and it's turning out to be a great browser :)
-
You're not wrong there!
MacBook Air falls in two minutes at PWN 2 OWN
According to sources at the conference, Miller used an exploit against the Safari browser that ships standard with Mac OS X. Details of the vulnerability and the attack vector are now the property of TippingPoint’s ZDI (Zero Day Initiative), the sponsor of the Pwn2Own challenge.
pwned. (Quite literally, as Miller takes the laptop home now.)
http://blogs.zdnet.com/security/?p=984 (http://blogs.zdnet.com/security/?p=984)
-
Same story here:
http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html (http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html)
Obviously ZDNET fails to mention this part:
By late Thursday, Apple engineers were already working on patching the issue, said Aaron Portnoy, a TippingPoint researcher who is one of the contest's judges.
That's where the difference is...
Also:
Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.
The MacBook was the only system to be hacked by Thursday, however, the word on the show floor is that the Linux and Vista systems will meet with some serious challenges on Friday.
-
All this really proves is that there is no such thing as 100% safe anything.
It's still up to the user which computer to buy and what software to run.
Sooner or later, even the best of us will get caught by a new malware infection. :'(
Keep your guard up and your back-ups handy. ;D
-
You're not wrong there!
MacBook Air falls in two minutes at PWN 2 OWN
According to sources at the conference, Miller used an exploit against the Safari browser that ships standard with Mac OS X. Details of the vulnerability and the attack vector are now the property of TippingPoint’s ZDI (Zero Day Initiative), the sponsor of the Pwn2Own challenge.
pwned. (Quite literally, as Miller takes the laptop home now.)
http://blogs.zdnet.com/security/?p=984 (http://blogs.zdnet.com/security/?p=984)
Browser Exploit, not a flaw in the OS. And as Sasha pointed out even the browser exploit will be quickly patched.
-
Hi bob3160,
I have the strong impression that this is not necessary, and if you get infected it means a. your practices were insecure, b. your luck was out big time.
If you have adequate updated fully patched software, taken measures to reduce the risk of infections, like broad theater scanning solutions for av-af-as-ark, together with a normal user account, a NoScript solution on FF or symantec's NoScript in IE, and you have the security experience to stay away from where malware infestors may hide or made yourself invulnerable to them, you need not be infested with malware in the broadest sense of the word (no tracking cookies even), use hjt crap cleaning and other knowledgeable means. I am proof of it since I became more involved in malware cleansing and knew more ways to protect myself "from visiting this forum frequently" I had 0 malware on my box, two FP's but that could be taken into account,
and this for several years where malware numbers doubled every year,
polonus
-
All this really proves is that there is no such thing as 100% safe anything.
It's still up to the user which computer to buy and what software to run.
Sooner or later, even the best of us will get caught by a new malware infection. :'(
Keep your guard up and your back-ups handy. ;D
I seem to remember you saying the same thing back in '06, Bob, when all those holes were appearing in IE6.
I still haven't been 'caught' browsing with Firefox or Opera. I don't agree with the 'sooner or later' idea: if you're going to get caught, it'll be using an application with poor security, one that doesn't update quickly, or an unpatched and vulnerable version of an application.
Although Safari may be patched quickly, it's worrying that it was hacked so easily. Also worrying is that it seems to suffer from problems that IE had several years ago:
Windows users may hope Safari doesn't share as much binary code between versions as it does licensing restrictions. In any event, last week's discovery that the latest version for Windows was susceptible to a simple page frame spoof may not be considered a "system compromise," though security firm Secunia saw fit to catalog it as "highly critical."
The code for this JavaScript-based exploit was made public, though there's not much surprising or innovative about it: It's the same kind of page spoofing problem that plagued Microsoft Internet Explorer over three years ago. Essentially it enables the creation of a browser frame that says its contents come from a URL but in fact derive from a separate JavaScript element that runs unchecked.
http://www.betanews.com/article/Newest_Safari_browsers_find_themselves_shooting_gallery_targets/1206719993 (http://www.betanews.com/article/Newest_Safari_browsers_find_themselves_shooting_gallery_targets/1206719993)
-
[Sarcasm mode on]
A web browser that has security flaws, the walls of reality are falling down! ::) ;D
[Sarcasm mode off]
Seriously now, it will most likely be fixed soon and its not that worrying that it was "hacked" so easily, nothing made by humans will ever be "unhackable", apple still does make good software (although i admit its a little intrusive at times) and I still got confidence in it.
I must confess i having tried to new safari browser on windows yet though due to other software I'm playing around with other software currently etc.
Also i would like to say i agree polonus here, safe browsing habits should stop most of these exploits from becoming a reality here.
--lee
-
"It's one thing to find a vulnerability, it's another thing to make working exploit code," said Terri Forslof, TippingPoint's Manager of Security Response.
http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html (http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html)
This is the view I've always taken.
-
"It's one thing to find a vulnerability, it's another thing to make working exploit code," said Terri Forslof, TippingPoint's Manager of Security Response.
http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html (http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html)
This is the view I've always taken.
Isn't this exactly the same link I posted little bit earlier in this same thread?
http://forum.avast.com/index.php?topic=34148.msg286020#msg286020 (http://forum.avast.com/index.php?topic=34148.msg286020#msg286020)
-
That's probably where I noticed it. Getting old, I'm afraid. Memory going...
-
Ubuntu is the winner ... ;D
http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up (http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up)
-
Flash vulnerability on Vista. ::)
-
Quote from: bob3160 on Yesterday at 04:50:20 PM
All this really proves is that there is no such thing as 100% safe anything.
It's still up to the user which computer to buy and what software to run.
Sooner or later, even the best of us will get caught by a new malware infection. Cry
Keep your guard up and your back-ups handy. Grin
I seem to remember you saying the same thing back in '06, Bob, when all those holes were appearing in IE6.
Frank,
I didn't notice any hackers going on vacation since 06 ??? ;D
If anything, the amount of attacks against all systems have increased since 06 making increased security
even more vital today than ever before.
-
Sooner or later, even the best of us will get caught by a new malware infection.
I didn't notice any hackers going on vacation since 06
I think you missed my point, which was that I'm still waiting to get caught as you promised. The increasing number of attacks just makes me further doubt the notion that 'there is no such thing as 100% safe anything,' and that browsers are much of a muchness when it comes to security.
-
Using a zero-day vulnerability in Adobe's ubiquitous Flash Player, hacker Shane Macaulay hacked into a Windows Vista laptop to win a $5,000 cash prize at this year's CanSecWest Pwn2Own challenge.
Macaulay, who uses the "K2" hacker moniker, also won the Fujitsu U810 laptop running Windows Vista Ultimate SP1 that he hijacked with the exploit.
According to sources at the conference, the Adobe Flash vulnerability is "cross-platform."
Details of the vulnerability and the attack vector are now the property of TippingPoint's ZDI (Zero Day Initiative), the sponsor of the CanSecWest Pwn2Own challenge. Officials from ZDI have confirmed the unpatched nature of the flaw and are coordinating the disclosure process with Adobe.
Earlier in the week, security researcher Charlie Miller hijacked Apple's MacBook Air with a drive-by exploit against the Safari browser. That exploit carried a $10,000 cash prize, plus the hacked laptop.
A Sony VAIO VGN-TZ37CN machine running Ubuntu 7.10 "Gutsy Gibbon" was the only laptop left standing after the three-day challenge.
http://securitywatch.eweek.com/exploits_and_attacks/vista_hacked_with_adobe_flash_vulnerability.html (http://securitywatch.eweek.com/exploits_and_attacks/vista_hacked_with_adobe_flash_vulnerability.html)
-
I think you missed my point, which was that I'm still waiting to get caught as you promised.
My promise was "Sooner or Later" I never set a time frame on "Later" :) :)
-
Hi bob3160,
Returning to the vulnerabilities at hand: http://secunia.com/advisories/29483/
Also a link there to check for unauthorized installations of Safari..
polonus
-
I downloaded Safari 3.1. to try it out. I must say that my flock browser on my machine is still faster and offers more and is smaller in footprint. ;D
-
You probably wouldn't see these vulnerabilities in Safari 3.1 on a mac, It's probably the same thing as running IE7 on windows XP versus Vista. IE7 is much safer on Vista than it is on XP ( this is suppose to change in XP sp3).
-
You probably wouldn't see these vulnerabilities in Safari 3.1 on a mac
Probably not but it's an underhanded way for Apple to again make Microsoft look bad. :o
-
You probably wouldn't see these vulnerabilities in Safari 3.1 on a mac
Probably not but it's an underhanded way for Apple to again make Microsoft look bad. :o
Or if the flaw does not exist on the Mac side maybe its windows that is the problem ::)
-
Flash vulnerability on Vista. ::)
Yep, but if you read this: http://blogs.zdnet.com/security/?p=993&tag=nl.e539
It seems that the flash vulnerability could have taken down any of the three.
"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place,” he (Macaulay) said in an interview shortly after he claimed his prize Friday. “This could affect Linux or Mac OS X.”
Macaulay said he chose to work on Vista because he had done contract work for Microsoft in the past and was more familiar with its products.
Aha, so there is your story right there, this flaw could’ve worked on any of the systems; however, the contest rules state that the same exploit can only be used to compromise one machine (see rule #2 from the cansecwest.com web page which states “You can’t use the same vulnerability to claim more than one box, if it is a cross-platform issue.”), and Macaulay used Vista because it was what he was more familiar with."
Update, Sorry for posting this, I missed Franks post on the same thing.
-
Same thing can be said for hacked Mac... they used Safari, and if it can be hacked on Apple, there is no reason not to be able to hack it on any Windows machine, it is even more vulnerable on Windows than on OS X. It is a software issue, not hardware issue at all.
-
it is even more vulnerable on Windows than on OS X
It is equally vulnerable on any system that's using Safari 3.1
The vulnerability exists in the browser.
-
it is even more vulnerable on Windows than on OS X
It is equally vulnerable on any system that's using Safari 3.1
The vulnerability exists in the browser.
You don't even need Safari to compromise Windows OS, it is vulnerable and easy to compromise by its nature. Of course it is widely used so hackers are attacking it like crazy, but that's not excuse. No one can assure me that there are no hackers out there who would at least try to hack OS X just to prove something, but yet... we don't have any serious system attacks registered, and even less successful ones.
-
I wish someday Windows and Mac users love each other :-* :-*
-
But Tech, that's already happening. I have both, so I am Mac and PC user in the same time. I don't have anything against either side of me, but when one of my sides work on PC, all I get most of the time is headache. I didn't like that, so I went out and bought one of these beauties. Mac really allows me to focus on my creativity, rather than spending so much time on checking up on latest versions of security software, and installing a bunch of it of course.
You love Linux, so I am 100% sure you would be unbelievable happy using OS X.
-
You love Linux, so I am 100% sure you would be unbelievable happy using OS X.
I'll use when I have a budget to give it to myself as a gift ;)
Well... I'm learning Linux, but it's not intuitive as Windows (at least for me), I was born in Windows environment.
-
Well, when talking about budget... I didn't have any when I first came here. Didn't have any friends, don't have any relatives... but I worked like a moron, all kind of jobs, regardless if it was day or night, sunny day or rainy day. After few years, I can say I can afford it now.
Windows = intuitive, Linux = perfect but not easy to use... OS X is your answer, everything that Linux has and more, and even easier to use than Windows.
-
it is even more vulnerable on Windows than on OS X
It is equally vulnerable on any system that's using Safari 3.1
The vulnerability exists in the browser.
You don't even need Safari to compromise Windows OS, it is vulnerable and easy to compromise by its nature. Of course it is widely used so hackers are attacking it like crazy, but that's not excuse. No one can assure me that there are no hackers out there who would at least try to hack OS X just to prove something, but yet... we don't have any serious system attacks registered, and even less successful ones.
Sasha,
The title of this thread is "Safari 3.1 For Windows Vulnerable To Hacks"
this is all I pointed out.
All operating systems can, have been and will again be compromised.
As long as there are hackers, there will be compromises.
By nature, the most popular system will always be the most compromised.
Say hi to 2 of my favorite girls. :)
-
..
...
All operating systems can, have been and will again be compromised.
As long as there are hackers, there will be compromises.
By nature, the most popular system will always be the most compromised.
Say hi to 2 of my favorite girls. :)
Yes, that's correct... but still, some will be more compromised and some less.
They are sending HIs back to you too guys! :)
-
Apple okay with Safari 'carpet bombing' vuln for now
Next time you get nagged to install Apple's Safari browser keep this in mind: The company's security team has dismissed research that shows a simple way for miscreants to use the browser to litter an end user's machine with malicious files.
According to researcher Nitesh Dhanjani, Safari doesn't bother to ask for user permission before downloading resources from websites. When encountering malicious iframes and other scripts, the browser obediently does what the website tells it to do, including downloading a file as many times as html scripts order.
When informed of this "carpet bombing" vulnerability (as researcher Billy (BK) Rios has dubbed it), Apple agreed that it might be good if Safari actually checked with the user before downloading potentially vicious files, but signaled that kind of addition wasn't much of a priority.
"Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," someone from Apple's security team told Dhanjani. "We want to set your expectations that this could take quite a while, if it ever gets incorporated."
This is unfortunate because the vulnerability allows miscreants to dump hundreds of malicious files into a user's default download location (in Windows it's the desktop and in OS X it's the download folder). As Nate McFeters at the Zero Day Blog sees it, it wouldn't be hard for a rogue site to load up a desktop with dozens of booby-trapped "My Computer" icons that look like the real Windows icon and wait for a confused user to accidentally click on them.
http://www.theregister.co.uk/2008/05/15/apple_safari_carpet_bombing_vuln/ (http://www.theregister.co.uk/2008/05/15/apple_safari_carpet_bombing_vuln/)
-
I would have thought that Secunia would consider this a security vulnerability as they did with the same issue with other browsers, which those browsers patched.
-
I would have thought that Secunia would consider this a security vulnerability as they did with the same issue with other browsers, which those browsers patched.
I guess since it's an Apple product, it's considered in a different league. :)
-
Well one could always update the Safari engine yourself without waiting for apple. Safari uses Webkit which is Open Source :) and most issues are patched in the open source version before they are fixed in the Official Apple Release
The webkit site has prebuilt binaries for both Mac OS X and Windows of the latest version:
http://webkit.org/
Also if you choose about Safari you can see what version of webkit apple is using, the webkit version is beside the safari version
Example: Version 3.1.1 (5525.18)
when you install webkit it launches using the Safari front end using the updated engine (you have to have Safari installed).