Apple

Apple had previously said that the vunerability, found by security consultant Nitesh Dhanjani and dubbed the”carpet bombing” bug, would not be treated as a security issue, but rather filed as an enhancement request.
Certifiedbug: Apple’s Safari Carpet Bomb

A second researcher, Aviv Raff, found a way to execute files on the desktop without notifying the user.
Safari pwns Internet Explorer

Microsoft released a Security Advisory (953818) May 30th:
Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform

Apple:

To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user’s Downloads folder on Windows Vista, and to the user’s Documents folder on Windows XP. This issue does not exist on systems running Mac OS X.

About the security content of Safari 3.1.2 for Windows

{ 0 comments }

Nitesh Dhanjani released his research on issues within Apple’s Safari browser today.

Apprantly Apple has decided not to fix two of the issues and gave Dhanjani permission to discuss them with the security community.

1. Safari Carpet Bomb. It is possible for a rogue website to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).

The implication of this is obvious: Malware downloaded to the user’s desktop without the user’s consent.

Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion:

…the ability to have a preference to “Ask me before downloading anything” is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.

[credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue].

2. Sandbox not Applied to Local Resources. This issue is more of a feature set request than a vulnerability. For example, Internet Explorer warns users when a local resource such as an HTML file attempts to invoke client side scripting. I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower).

Apple’s response was positive:

…we have been investigating the potential for a “safe” mode for local HTML. This is an area that requires a fairly deep investigation to address compatibility issues, and to determine the proper operation. Please understand that when we label this as a security hardening measure, we are not discounting the benefits that this could have.

http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html

{ 0 comments }

Apple

Engineers designed Safari to be secure from day one.

Secunia Advisory: SA29483
Release Date: 2008-03-24
Safari Address Bar Spoofing and Memory Corruption Vulnerabilities

Highly critical
Impact: Spoofing
System access
Where: From remote
Solution Status: Unpatched

Description:
Juan Pablo Lopez Yacubian has discovered two vulnerabilities in Safari, which can be exploited by malicious people to conduct spoofing attacks or potentially compromise a user’s system.

1) An error when downloading e.g. a .ZIP file with an overly long filename can be exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

2) An error in the handling of windows can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar.

The vulnerabilities are confirmed in version 3.1 for Windows. Other versions may also be affected.

{ 2 comments }

Joe Wilcox Too Much Safari 3.1 Nonsense

Every developer shipping updaters should follow Apple’s approach. Are you listening Adobe?

You have got to be kidding, suggesting Adobe listen up and push more crud our way?

February 28, 2008.
PayPal warns: Steer clear of Apple’s Safari browser

{ 0 comments }

Apple is taking advantage of its Software Update program, in my case for iTunes, to barge its way onto computers and push Safari 3.1 Web browser for Mac OS and Windows XP/Vista.

It’s bad enough I have to take QuickTime along with iTunes, but really this is too much. The nag comes up with every reboot.

Apple, did I ask? Thanks but no thanks, the updater is now gone.

Edit: If you do the same, be sure to check frequently for Apple security updates.

{ 0 comments }

November 14-15, 2007. Fixes for at least 54 security bugs.
Apple also patched a security hole in Apple’s version of Adobe’s Flash Player, offered by Adobe as an update since July 2007.

Security Updates
15 Nov 2007
Mac OS X 10.5.1 Mac OS X 10.5, Mac OS X Server version 10.5
14 Nov 2007
Mac OS X 10.4.11 and Security Update 2007-008 Mac OS X 10.3.9 (for Security Update 2007-008), Mac OS X 10.4 or later (for Mac OS X 10.4.11 Update)
14 Nov 2007
Safari 3 Beta Update 3.0.4 Windows XP / Vista

About the security content of Safari 3 Beta Update 3.0.4

Security appears to be taking a front seat at Apple, which is good news for Mac users, even if many believe their systems are invincible.

The enormous set of patches for Mac OS X, Safari and the Leopard firewall came shortly after Microsoft’s November security release.

The Microsoft Security Response Center (MSRC)
Tuesday, November 13, 2007

Two new bulletins:

• MS07-061: This update addresses a vulnerability in Windows URI handling, which could allow remote code execution and has a maximum severity of Critical.

• MS07-062: This update addresses a vulnerability in DNS which could allow spoofing and has a maximum severity of Important

One re-released bulletin:

• MS07-049: This update addresses a vulnerability in Virtual PC and Virtual Server and could allow elevation of privilege. This is a change to the installer code only, to address some limited installation problems that we have seen. There’s no change to the update binaries, so if you have already successfully installed this update, you do not need to reinstall it. Please refer to the bulletin revision notes for more detail.

{ 0 comments }

Possible Faults:

US-CERT is aware of reports of possible flaws in the Application-Based Firewall in Mac OS X Leopard. According to these reports, users may be misinformed of the status of their firewall rule set, thus placing users with listening network services at an increased risk.

Users are urged to exercise caution when relying on the firewall rules for access control.

US-CERT will provide additional information as it becomes available.

{ 0 comments }

Mac users who practice unsafe hex will find more than they bargained for.

From Intego:

Exploit: OSX.RSPlug.A Trojan Horse
Discovered: October 30, 2007
Risk: Critical

OSX.RSPlug.A Trojan Horse Changes Local DNS Settings to
Redirect to Malicious DNS Servers

Description: A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs. A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:

Quicktime Player is unable to play movie file.

Please click here to download new version of codec.
After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open “Safe” Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.

Intego Press Release

Sunbelt Blog: Screenshot
Commentary: Mac trojan overhype? You tell me.

Well, we knew it was coming, Apple users may get hit hard now if the malware gangs are targeting.

Vnunet.com UPDATE: McAfee has confirmed the OSX.RSPlug.A trojan and reported that it is spreading through fake codec sites in addition to the porn website.

{ 0 comments }

Mac OS X Leopard, released Friday, Oct. 26 has a Login & Keychain Update available.

It addresses issues you may encounter when:

• Logging in with an account originally created in Mac OS X 10.1 or earlier that has a password of 8 or more characters.

• Connecting to some 802.11b/g wireless networks.

• Changing the password of a FileVault-protected account.

Apple Downloads

{ 0 comments }