HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 11 MINUTES AGO.
You are here: Home / Data Security / Flaws Found in Safari for Windows
Build Apps 5x Faster
For Half the Cost Enterprise Cloud Computing
On Force.com
Dangerous Flaws Reported in Safari for Windows
Dangerous Flaws Reported in Safari for Windows
By Richard Koman / Enterprise Security Today Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
MARCH
27
2008
Argentinian hacker Juan Pablo Lopez Yacubian has discovered two critical flaws in Apple's Safari 3.1 browser for Windows, according to security firm Secunia.

First, Yacubian says, an error when downloading a .zip file with an overly long filename can be exploited to cause memory corruption. "Successful exploitation may allow execution of arbitrary code," Secunia's Web site says.

In addition, an error in the handling of Windows can be exploited to display arbitrary content while showing the URL of a trusted Web site in the address bar, the researcher reported.

Risk to Enterprises

"It's not good news when three days after releasing a significant update to any software, that a researcher publishes two highly critical bugs for the new release," said Andrew Storms, director of security operations for nCircle Network Security, in an e-mail.

"Further, the risk to enterprises and consumers alike have been further heightened as the proof of concept for these vulnerabilities is now readily available. The move from proof of concept to weaponization is just around the corner," Storms said. Indeed, the mix of research being reported at the CanSecWest security conference in Vancouver this week means that "weaponization has probably already occurred," he added.

The only bright point here is that "Safari still hasn't got the largest market share when it comes to browsers," Storms said.

Software Pushed on Users

News of the bugs comes in the context of Apple's controversial practice of pushing the new Safari to Windows users through iTunes' software updater. Even users who had never installed a previous version of Safari were offered the new software and, if they performed the default behavior of just clicking OK, they wound up with Safari on their hard drives.

The practice generated a firestorm of controversy, fueled largely by Mozilla CEO John Lilly's blog post that Apple was "wrong" and "bordering on malware."

"While this might have been an annoying situation to users," Storms said, "given the new Safari vulnerabilities, it's also a bigger security risk."

Practice 'Borders on Malware'

Lilly ripped into Apple on his blog, saying, "What Apple is doing now with their Apple Software Update on Windows is wrong. It undermines the trust relationship great companies have with their customers, and that's bad -- not just for Apple, but for the security of the whole Web."

He added that it's "critically, crucially important for the security of end users and for the security of the Web at large that people stay current. If people don't update software regularly, it is impossible for them to remain safe." So if users are turned off by Apple's updates because they feel burned about having Safari thrust upon them, overall Web security it harmed.

"Apple has made it incredibly easy -- the default, even -- for users to install ride-along software that they didn't ask for, and maybe didn't want. This is wrong, and borders on malware distribution practices," Lilly said.

So far, Apple has not commented on Yacubian's vulnerability report.

Read more on: Apple, Safari, Secunia, Windows, iTunes
Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
Waiting in a monster line is rough on customers. Transactions that involve tedious document scanning? Even scarier. Meet the KODAK ScanMate i1150. A smart, responsive little beast from Kodak Alaris that fits easily on a desk or counter--and has an "overdrive" button that devours stacks of 10 even faster. It can even sense a jam and stop in its tracks. Fiercely reliable. Well behaved. Look closer.
MORE IN DATA SECURITY
Product Information and Resources for Technology You Can Use To Boost Your Business
© Copyright 2015 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.