HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 9 MINUTES AGO.
You are here: Home / Data Security / Flaws Found in Safari for Windows
Build Apps 5x Faster
For Half the Cost Enterprise Cloud Computing
On Force.com
Dangerous Flaws Reported in Safari for Windows
Dangerous Flaws Reported in Safari for Windows
By Richard Koman / Enterprise Security Today Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
MARCH
27
2008
Argentinian hacker Juan Pablo Lopez Yacubian has discovered two critical flaws in Apple's Safari 3.1 browser for Windows, according to security firm Secunia.

First, Yacubian says, an error when downloading a .zip file with an overly long filename can be exploited to cause memory corruption. "Successful exploitation may allow execution of arbitrary code," Secunia's Web site says.

In addition, an error in the handling of Windows can be exploited to display arbitrary content while showing the URL of a trusted Web site in the address bar, the researcher reported.

Risk to Enterprises

"It's not good news when three days after releasing a significant update to any software, that a researcher publishes two highly critical bugs for the new release," said Andrew Storms, director of security operations for nCircle Network Security, in an e-mail.

"Further, the risk to enterprises and consumers alike have been further heightened as the proof of concept for these vulnerabilities is now readily available. The move from proof of concept to weaponization is just around the corner," Storms said. Indeed, the mix of research being reported at the CanSecWest security conference in Vancouver this week means that "weaponization has probably already occurred," he added.

The only bright point here is that "Safari still hasn't got the largest market share when it comes to browsers," Storms said.

Software Pushed on Users

News of the bugs comes in the context of Apple's controversial practice of pushing the new Safari to Windows users through iTunes' software updater. Even users who had never installed a previous version of Safari were offered the new software and, if they performed the default behavior of just clicking OK, they wound up with Safari on their hard drives.

The practice generated a firestorm of controversy, fueled largely by Mozilla CEO John Lilly's blog post that Apple was "wrong" and "bordering on malware."

"While this might have been an annoying situation to users," Storms said, "given the new Safari vulnerabilities, it's also a bigger security risk."

Practice 'Borders on Malware'

Lilly ripped into Apple on his blog, saying, "What Apple is doing now with their Apple Software Update on Windows is wrong. It undermines the trust relationship great companies have with their customers, and that's bad -- not just for Apple, but for the security of the whole Web."

He added that it's "critically, crucially important for the security of end users and for the security of the Web at large that people stay current. If people don't update software regularly, it is impossible for them to remain safe." So if users are turned off by Apple's updates because they feel burned about having Safari thrust upon them, overall Web security it harmed.

"Apple has made it incredibly easy -- the default, even -- for users to install ride-along software that they didn't ask for, and maybe didn't want. This is wrong, and borders on malware distribution practices," Lilly said.

So far, Apple has not commented on Yacubian's vulnerability report.

Read more on: Apple, Safari, Secunia, Windows, iTunes
Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
High Quality CRM Data: Prevent, detect and fix errors at the point of data entry for Dynamics CRM. Trillium Software helps you achieve an accurate, synchronized, single view of customers. It's time to trust your data. Take a product tour and read CRM Analyst opinions here.
MORE IN DATA SECURITY
Product Information and Resources for Technology You Can Use To Boost Your Business
© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.