Author Topic: Safari 3.1 For Windows Vulnerable To Hacks  (Read 14600 times)

0 Members and 1 Guest are viewing this topic.

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Safari 3.1 For Windows Vulnerable To Hacks
« on: March 27, 2008, 08:56:50 PM »
The new Safari 3.1 for Windows has been hit with two 'highly critical'(as rated by Secunia) vulnerabilities that can result in execution of arbitrary code. The first is due to an improper handling of the buffer for long filenames of files being downloaded, and the second can result in successful spoofing of websites and phishing. This comes close on the heels of criticism of Apple for offering Safari as a update for approximately 500 million users of iTunes on Windows by default, and reports of crashes. There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites."

http://apple.slashdot.org/article.pl?no_d2=1&sid=08/03/27/129236

Be Careful out there.
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #1 on: March 27, 2008, 11:11:00 PM »
Quote
There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites."
Not using Safari would also cure this problem.  :)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #2 on: March 28, 2008, 01:49:10 AM »
Quote
There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites."
Not using Safari would also cure this problem.  :)
All Web Browsers Have Vulnerabilities. So Not Using the internet Would cure the problem

Safari on the mac usually gets periodic Updates to correct things like this as part of apples "Security Update 2008-xxx" patches. Id imagine they will do the same for the windows version through the Software Update Program.
« Last Edit: March 28, 2008, 04:36:39 AM by .: Mac :. »
"People who are really serious about software should make their own hardware." - Alan Kay

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #3 on: March 28, 2008, 01:53:08 AM »
Quote
So No using the internet would cure the problem
Mac that's not an acceptable alternative.
That would be the same as saying if you never get born then you don't have to worry about dieing  ;D

Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

drhayden1

  • Guest
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #4 on: March 28, 2008, 05:50:03 AM »
Safari Illegal to Use on Windows?  http://www.theregister.co.uk/2008/03/26/apple_safari_eula_paradox/ then
http://www.theregister.co.uk/2008/03/27/apple_updates_safari_eula/
After all that talk about Apple pushing the Safari “update” on Windows users (here and here), as it turns out, it’s actually “illegal” for Windows users to install it! Read the first sentence in the image below and you’ll see what I mean:

It very clearly reads in Apple’s License Agreement which you have to agree to before downloading Safari, that “This License allows you to install and use one copy of the Apple Software on a single Apple-labeled computer at a time.” The last time I checked, my Dell computer had no Apple label to be found on it! It looks like Apple needs to take some time to review all of their agreements now that they’re branching out and offering software to Windows users.

What’s even more funny is that when the License Agreement pops-up, it warns to read it carefully. Well, by reading it carefully it was discovered that PC users really aren’t supposed to be using it! It says in big bold/all caps:

PLEASE READ THIS SOFTWARE LICENSE AGREEMENT (”LICENSE”) CAREFULLY BEFORE USING THE APPLE SOFTWARE. BY USING THE APPLE SOFTWARE, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE, DO NOT USE THE SOFTWARE.

Maybe Apple is pushing Safari so hard because they’ll threaten all of the Windows users later on that they must switch to a Mac or face being sued?  It looks like us software users aren’t the only ones that don’t read the agreement, apparently those who write it don’t read it either. This was clearly an oversight by Apple, and we imagine it’ll be fixed soon.

click on pic to enlarge ::)
« Last Edit: March 28, 2008, 05:53:50 AM by drhayden1 »

drhayden1

  • Guest
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #5 on: March 28, 2008, 03:21:48 PM »
i'm glad that safari is now legal to use on windows cause' i use it on my work mac and it's turning out to be a great browser :)

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #6 on: March 28, 2008, 09:05:37 PM »
You're not wrong there!

Quote
MacBook Air falls in two minutes at PWN 2 OWN

Quote
According to sources at the conference, Miller used an exploit against the Safari browser that ships standard with Mac OS X. Details of the vulnerability and the attack vector are now the property of TippingPoint’s ZDI (Zero Day Initiative), the sponsor of the Pwn2Own challenge.

pwned. (Quite literally, as Miller takes the laptop home now.)

http://blogs.zdnet.com/security/?p=984
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #7 on: March 28, 2008, 09:55:35 PM »
Same story here:

http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html

Obviously ZDNET fails to mention this part:

Quote
By late Thursday, Apple engineers were already working on patching the issue, said Aaron Portnoy, a TippingPoint researcher who is one of the contest's judges.

That's where the difference is...

Also:
Quote
Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.


Quote
The MacBook was the only system to be hacked by Thursday, however, the word on the show floor is that the Linux and Vista systems will meet with some serious challenges on Friday.

« Last Edit: March 28, 2008, 10:02:29 PM by [••] »
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #8 on: March 28, 2008, 11:50:20 PM »
All this really proves is that there is no such thing as 100% safe anything.

It's still up to the user which computer to buy and what software to run.
Sooner or later, even the best of us will get caught by a new malware infection. :'(
Keep your guard up and your back-ups handy. ;D
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #9 on: March 29, 2008, 12:03:52 AM »
You're not wrong there!

Quote
MacBook Air falls in two minutes at PWN 2 OWN

Quote
According to sources at the conference, Miller used an exploit against the Safari browser that ships standard with Mac OS X. Details of the vulnerability and the attack vector are now the property of TippingPoint’s ZDI (Zero Day Initiative), the sponsor of the Pwn2Own challenge.

pwned. (Quite literally, as Miller takes the laptop home now.)

http://blogs.zdnet.com/security/?p=984

Browser Exploit, not a flaw in the OS. And as Sasha pointed out even the browser exploit will be quickly patched.
"People who are really serious about software should make their own hardware." - Alan Kay

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #10 on: March 29, 2008, 12:11:10 AM »
Hi bob3160,

I have the strong impression that this is not necessary, and if you get infected it means a. your practices were insecure, b. your luck was out big time.
If you have adequate updated fully patched software, taken measures to reduce the risk of infections, like broad theater scanning solutions for av-af-as-ark, together with a normal user account, a NoScript solution on FF or symantec's NoScript in IE, and you have the security experience to stay away from where malware infestors may hide or made yourself invulnerable to them, you need not be infested with malware in the broadest sense of the word (no tracking cookies even), use hjt crap cleaning and other knowledgeable means. I am proof of it since I became more involved in malware cleansing and knew more ways to protect myself  "from visiting this forum frequently" I had 0 malware on my box, two FP's but that could be taken into account,
and this for several years where malware numbers doubled every year,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #11 on: March 29, 2008, 11:38:43 AM »
All this really proves is that there is no such thing as 100% safe anything.

It's still up to the user which computer to buy and what software to run.
Sooner or later, even the best of us will get caught by a new malware infection. :'(
Keep your guard up and your back-ups handy. ;D

I seem to remember you saying the same thing back in '06, Bob, when all those holes were appearing in IE6.

I still haven't been 'caught' browsing with Firefox or Opera. I don't agree with the 'sooner or later' idea: if you're going to get caught, it'll be using an application with poor security, one that doesn't update quickly, or an unpatched and vulnerable version of an application.

Although Safari may be patched quickly, it's worrying that it was hacked so easily. Also worrying is that it seems to suffer from problems that IE had several years ago:

Quote
Windows users may hope Safari doesn't share as much binary code between versions as it does licensing restrictions. In any event, last week's discovery that the latest version for Windows was susceptible to a simple page frame spoof may not be considered a "system compromise," though security firm Secunia saw fit to catalog it as "highly critical."

The code for this JavaScript-based exploit was made public, though there's not much surprising or innovative about it: It's the same kind of page spoofing problem that plagued Microsoft Internet Explorer over three years ago. Essentially it enables the creation of a browser frame that says its contents come from a URL but in fact derive from a separate JavaScript element that runs unchecked.

http://www.betanews.com/article/Newest_Safari_browsers_find_themselves_shooting_gallery_targets/1206719993
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

lee16

  • Guest
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #12 on: March 29, 2008, 11:58:40 AM »
[Sarcasm mode on]

A web browser that has security flaws, the walls of reality are falling down!  ::) ;D

[Sarcasm mode off]

Seriously now, it will most likely be fixed soon and its not that worrying that it was "hacked" so easily, nothing made by humans will ever be "unhackable", apple still does make good software (although i admit its a little intrusive at times) and I still got confidence in it.
I must confess i having tried to new safari browser on windows yet though due to other software I'm playing around with other software currently etc.

Also i would like to say i agree polonus here, safe browsing habits should stop most of these exploits from becoming a reality here.

--lee

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #13 on: March 29, 2008, 12:28:05 PM »
Quote
"It's one thing to find a vulnerability, it's another thing to make working exploit code," said Terri Forslof, TippingPoint's Manager of Security Response.

http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html

This is the view I've always taken.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Re: Safari 3.1 For Windows Vulnerable To Hacks
« Reply #14 on: March 29, 2008, 12:59:51 PM »
Quote
"It's one thing to find a vulnerability, it's another thing to make working exploit code," said Terri Forslof, TippingPoint's Manager of Security Response.

http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html

This is the view I've always taken.

Isn't this exactly the same link I posted little bit earlier in this same thread?
http://forum.avast.com/index.php?topic=34148.msg286020#msg286020
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s