The Enterprise Security Supersite NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
This ad will display for the next 20 seconds. Click for more information, or
Home Network Security Viruses & Malware Cybercrime Security Solutions More Topics...
Data Security
Is your endpoint data protected?
Average Rating:
Rate this article:  
Dangerous Flaws Reported in Safari for Windows

Dangerous Flaws Reported in Safari for Windows
By Richard Koman

Share
Share on Facebook Share on Twitter Share on Linkedin Share on Google Plus

Security firm Secunia reports vulnerabilities in Apple, Inc.'s Safari for Windows browser can corrupt memory and display arbitrary code. The report of flaws in Apple's Safari for Windows follow a controversy about Apple pushing Safari onto Windows users' desktops through the Apple Software Update for Apple's iTunes music application.
 

Related Topics

Apple
Safari
Secunia
Windows
iTunes



Argentinian hacker Juan Pablo Lopez Yacubian has discovered two critical flaws in Apple's Safari 3.1 browser for Windows, according to security firm Secunia.

First, Yacubian says, an error when downloading a .zip file with an overly long filename can be exploited to cause memory corruption. "Successful exploitation may allow execution of arbitrary code," Secunia's Web site says.

In addition, an error in the handling of Windows can be exploited to display arbitrary content while showing the URL of a trusted Web site in the address bar, the researcher reported.

Risk to Enterprises

"It's not good news when three days after releasing a significant update to any software, that a researcher publishes two highly critical bugs for the new release," said Andrew Storms, director of security operations for nCircle Network Security, in an e-mail.

"Further, the risk to enterprises and consumers alike have been further heightened as the proof of concept for these vulnerabilities is now readily available. The move from proof of concept to weaponization is just around the corner," Storms said. Indeed, the mix of research being reported at the CanSecWest security conference in Vancouver this week means that "weaponization has probably already occurred," he added.

The only bright point here is that "Safari still hasn't got the largest market share when it comes to browsers," Storms said.

Software Pushed on Users

News of the bugs comes in the context of Apple's controversial practice of pushing the new Safari to Windows users through iTunes' software updater. Even users who had never installed a previous version of Safari were offered the new software and, if they performed the default behavior of just clicking OK, they wound up with Safari on their hard drives.

The practice generated a firestorm of controversy, fueled largely by Mozilla CEO John Lilly's blog post that Apple was "wrong" and "bordering on malware."

"While this might have been an annoying situation to users," Storms said, "given the new Safari vulnerabilities, it's also a bigger security risk."

Practice 'Borders on Malware'

Lilly ripped into Apple on his blog, saying, "What Apple is doing now with their Apple Software Update on Windows is wrong. It undermines the trust relationship great companies have with their customers, and that's bad -- not just for Apple, but for the security of the whole Web."

He added that it's "critically, crucially important for the security of end users and for the security of the Web at large that people stay current. If people don't update software regularly, it is impossible for them to remain safe." So if users are turned off by Apple's updates because they feel burned about having Safari thrust upon them, overall Web security it harmed.

"Apple has made it incredibly easy -- the default, even -- for users to install ride-along software that they didn't ask for, and maybe didn't want. This is wrong, and borders on malware distribution practices," Lilly said.

So far, Apple has not commented on Yacubian's vulnerability report.
 

Tell Us What You Think
Comment:

Name:



Get Powerful App Acceleration with Cisco. In a world where time is money, you need to accelerate the speed at which data moves through your data center. Cisco UCS Invicta delivers powerful, easy-to-manage application acceleration for data-intensive workloads. So you can make decisions faster and outpace the competition. Learn More.


 Data Security
1.   Gmail Hackable by Android Apps
2.   UPS Stores Hit by Data Breach
3.   9 Norton Security Products Are Now 1
4.   Data Stolen from U.S. Health Network
5.   FBI Cybersquad To Add Agents


advertisement
UPS Stores Hit by Data Breach
Biz must adopt better security measures.
Average Rating:
Data Stolen from U.S. Health Network
Chinese hackers targeted hospital firm.
Average Rating:
9 Norton Security Products Are Now 1
Symantec takes software-as-service tack.
Average Rating:


advertisement
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Researchers Find Malicious Android Apps Can Hack Gmail
A new study shows that a weakness in the Android mobile operating system can be used to steal sensitive, personal info from unwitting users. Gmail proved to be the easiest app to attack; Amazon, the hardest.
 
UPS Stores in 24 States Hit by Data Breach
Big Brown has been breached. UPS said that about 105,000 customer transactions at 51 of its UPS Store locations in 24 states could have been compromised between January and August.
 
Cost of Target Data Breach: $148 Million Plus Loss of Trust
The now infamous Target data breach is still costing the company -- and its shareholders -- plenty. In fact, the retailing giant forecast the December 2013 incident cost shareholders $148 million.
 

Enterprise Hardware Spotlight
Acer's New Desktop Box Rides the Chrome OS Wave
Filling out its Chrome OS line, Acer is following the introduction of a larger Chromebook line earlier this month with a new tiny $180 desktop Chromebox and also a smaller Chromebook.
 
Feds OK $2.3 Billion IBM-Lenovo x86 Server Deal
IBM and Lenovo are celebrating U.S. approval of their x86-based server deal, having cleared some major security hurdles. The deal makes Lenovo a major player for enterprise data centers.
 
Three New Lenovo PCs Aimed at Business Users
With businesses wanting computing solutions that do more for less money, Lenovo has unveiled three new desktop PCs that it says offer solid computing at a budget-minded price.
 

Mobile Technology Spotlight
Screen Shortage Briefly Puts Brakes on iPhone 6
RAM? Check. Antenna switch? Check. Screen? Oops. Parts suppliers for Apple have found themselves facing a shortage of screens for the new iPhone 6 as next month's release date for the new smartphone looms.
 
Bounty Offered to Coders for Oculus Rift Bugs
Coders who find bugs in software for the Oculus Rift VR immersive headset could receive a reward of at least $500 under Facebook's White Hat bounty program. Facebook acquired Oculus in March.
 
Google Glass Adds Voice Access to Phone Contacts
The latest update to Google Glass will let users access their top 20 phone contacts with voice commands alone. A user can then choose a phone call, Google hangouts, e-mail or text messaging.
 

Navigation
Enterprise Security Today
Home/Top News | Network Security | Viruses & Malware | Cybercrime | Security Solutions | Mobile Security | Disaster Recovery | Windows Security
Data Security | EST Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.