Print 40 comment(s) - last by bupkus.. on May 11 at 5:35 PM

Apple, which perpetually makes fun of Microsoft's Windows for being "buggy" and "virus prone" is yet again endangering its users with lax security and poorly written code.  (Source: Apple)

This time Apple's latest security woe is a "highly critical" flaw in its Safari browser; and Apple is yet again silent on the issue.
Cyberthieves can use the vulnerability to execute arbitrary code, steal information

Apple's arrogant air when it comes to security has yet again come back to bite it.  This time Danish security research firm Secunia discovered yet another vulnerability in the web browser Safari, which they billed as "highly critical" -- their most serious rating.

Secondary confirmation of the bug came from the United States Computer Emergency Readiness Team (US-CERT) (part of the U.S. Department of Homeland Security), which issued an advisory after Polish researcher Krystian Kloskowski disclosed the bug on Friday.

The bug exploits Apple's poor implementation of code that handle's the browser's parent windows.  According to Secunia, "This can be exploited to execute arbitrary code when a user visits a specially-crafted Web page and closes opened pop-up windows."

US-CERT adds that HTML email opened in webmail services such as Gmail or Windows Live Hotmail may also exploit the flaw.  By compromising the operating system, hackers are free to log user information (such as credit cards or personal contacts) and install malware to accomplish a host of evils.

The flaw works in Windows 7 on the latest version of Safari 4 (4.0.5).  "Other versions may also be affected" according to US-CERT -- so OS X users of Safari aren't off the hook yet.  Charlie Miller, noted Mac hacker and security expert was not available to verify whether the bug existed in OS X.  He's on vacation after hacking Safari and earning $10,000 in loot in March at the Pwn2Own contest.

Miller has stated that Macs and Apple software are often easier to hack than PCs and Windows software.  Overall there's been relatively little interest in hacking Macs or Apple products, but what little attention there has been has revealed a host of security flaws.  Apple patched 16 flaws in Safari in mid-March -- including 10 that affected OS X.  Miller's exploit was among those flaws fixed.

Apple is keeping quiet on the latest danger to its customers -- its usual response to such security dangers.  Security experts at US-CERT and Secunia are providing Safari users with some sound advice for now at least -- don't open untrusted HTML emails, and disable JavaScript except on trusted sites.

Many security experts have criticized Apple's lax stance on security and poorly implemented products.  Charlie Miller states, "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."

Or as Mac researcher Dino Dai Zovi once put it, "There is no magic fairy dust protecting Macs.  Writing exploits for [Microsoft] Vista is hard work. Writing exploits for Mac is a lot of fun."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By eddieroolz on 5/10/2010 5:30:34 PM , Rating: 5
Why would anybody use Safari on Windows? It has absolutely nothing going for it.

RE: Safari
By JasonMick on 5/10/2010 5:40:30 PM , Rating: 5
Why would anybody use Safari on Windows? It has absolutely nothing going for it.

You would think that, but then again there's people that swear by EVERY SINGLE Apple product for no good reason.

In one of my grad classes there was this guy who struck up a random conversation with me (I kid you not...) about how "Every product Apple makes is great."

And proceeds into a long winded story about how much his [blind] love of all things Apple and how he's gotten all his friends and family members to use OS X, Macs, Safari, etc. And he even started ranting about how horrible Windows and Windows software was.

I considered having a rational debate with him, but by the end of the conversation I realized he was beyond reason, so I instead settled for just laughing at him in my head.

RE: Safari
By Chapbass on 5/10/2010 10:29:39 PM , Rating: 2
Totally agree. The co-worker that sits next to me is by far the most blind apple fanboi I've EVER seen. Yep, he uses Safari blindly on our XP machines in our office (or i should say, on his machine). We argue about it (apple in general, not safari) pretty much daily.

Speaking of...his ipad 3g order is coming tomorrow...maybe I should call in sick :\

RE: Safari
By subhajit on 5/11/2010 1:43:51 AM , Rating: 2
A preemptive sick leave? Now that's an idea...

RE: Safari
By MrBlastman on 5/11/2010 7:51:34 AM , Rating: 2
The Apple sickness is incurable. Whenever I imagine an Apple fan, I think of Steve jobs sidling up behind one, stuffing an apple in their mouth to gag them and then dropping trow, reaming his hot man love into them over and over while they take it. Once you've been "touched by Jobs," you are forever stained. ;)

Speaking of the article, it is a bug that Apple even exists still to this day.

RE: Safari
By chick0n on 5/11/10, Rating: 0
RE: Safari
By Smartless on 5/11/2010 3:13:14 PM , Rating: 2
As long as we're sharing stories....

This person was arguing with me how she thinks that Windows must be using underhanded tactics because she wants some software but they don't make a Mac version. I said it doesn't make sense if you're a small company to program to 10% market-share. Her response was well if it works on Windows it would work better on a Mac.

Same conversation now... She went to a conference where she was bragging that Stanford and Harvard use only Macs (I think that's the schools she stated). She said look, its a hint to the future because people from those schools are going to be bosses someday. It took a lot of effort to the point of almost exploding not to say something at that point.

RE: Safari
By AlphaVirus on 5/11/2010 12:51:54 PM , Rating: 2
You aren't the only one.

My wife had an Art teacher that preached that all Apple products are the best on the market. This teacher told all of the students they had to purchase an Apple Mac PC to use Adobe Photoshop because Windows based PCs couldn't run the software. This was the software they used in the class.

At the time we had an Athlon X2 HP PC, and I told my wife "Give me one day and I will show you that your teacher is full of BS".

I searched online for a legit downloadable version, showed my wife and she returned to class and told the teacher. Let's just say he was very protective and wanted to debate with my wife that she was lying.

RE: Safari
By carniver on 5/10/2010 5:58:43 PM , Rating: 2
Safari is one of the choices on the ballot screen shipped with the European version of Windows 7. Those who love Apple but got a PC for budget constraints may actually pick it.

Though the next question is, why didn't UAC prevent this hack? Isn't Windows 7 supposed to be secured from this type of attack?

RE: Safari
By HrilL on 5/10/2010 6:09:47 PM , Rating: 5
Most likely because you gave Safari access to make changes to your system when you installed it. UAC pretty much only happens when you want to install something or run an update like for Java.

RE: Safari
By inighthawki on 5/10/2010 7:08:19 PM , Rating: 3
No, UAC pops up when something requires privileges higher than the current user privileges. This means that any administrator task would need permission no matter what. There is no way to "white-list" an application or give it permissions before-hand. It's likely that code that has been executed by this exploit did not require any admin privs at all. (Not all malware requires admin in order to accomplish their goals).

One could easily create a keyboard hook and use a keylogger without admin privs, and if the code is executed through the safari process, it likely already has firewall privs to bypass it and send back the data. That is just one example, and many other tasks like reading registry keys are more examples (assuming the registry keys have read permission by the current user)

RE: Safari
By seamonkey79 on 5/11/2010 4:26:54 PM , Rating: 2
Never mind the fact that most people seem to blindly click the "get out of my way" button on UAC messages.

RE: Safari
By damianrobertjones on 5/10/2010 6:26:57 PM , Rating: 3
The next question is...

Why are people running as admin in the first place? Agggggghhhhhhhh

RE: Safari
By MrBlastman on 5/11/2010 7:54:38 AM , Rating: 2
Yeah! There's an idea. Let's buy a perfectly good PC and then go and install crappy Apple software just so we can ruin it! :(

RE: Safari
By Justin Time on 5/10/2010 6:16:21 PM , Rating: 3

Buying a MAC just to make sure a website works with Safari, is a bit overkill... and provided Apple make sure both Mac and PC versions render the same way, it's a good option.

RE: Safari
By Gul Westfale on 5/10/2010 6:49:37 PM , Rating: 5
appletard, foaming at the mouth:


RE: Safari
By bodar on 5/10/2010 9:36:47 PM , Rating: 2
That doesn't explain why you'd be using the browser for day-to-day stuff. You still have to visit a specifically-made webpage to get exploited. Why wouldn't you just use the other browsers installed on the test box?

RE: Safari
By funkyd99 on 5/11/2010 10:11:51 AM , Rating: 2
Don't forget that Safari is bundled with iTunes... I believe it used to be selected for install by default. So, the users that blindly click "next" on install screens may be using Safari even though they never wanted to.

RE: Safari
By cknobman on 5/11/2010 10:48:29 AM , Rating: 2
In my office the guy sitting next to me uses Safari on our XP pro desktops. He swears its the best and fastest browser out there and refuses to use anything else. FTR my group is made up of all .Net developers.

RE: Safari
By zonkie on 5/11/2010 4:42:11 PM , Rating: 2
If it opens pop up windows. You blew it.

The difference
By Abrahmm on 5/10/2010 5:51:22 PM , Rating: 5
It's interesting to note the difference in the way Apple and Microsoft respond to security threats. Microsoft will issue warnings, post up temporary work arounds to protect users, and try to get a patch out as quick as possible. Apple on the other hand puts their hands over their ears, screams "Lalalalala", and might possibly get a fix out in 8-10 months.

RE: The difference
By adiposity on 5/10/2010 5:58:43 PM , Rating: 2
Well there have been times where MS didn't fix security holes for literally years. So let's not praise them too much, just because Apple are idiots, too.

RE: The difference
By SoCalBoomer on 5/10/2010 6:12:13 PM , Rating: 5
doesn't change the fact that for the VAST majority of the problems that have come up for MS Windows, they've taken pretty quick and predictable action; while the opposite is true of Apple.

RE: The difference
By Reclaimer77 on 5/10/2010 8:14:32 PM , Rating: 4
and might possibly get a fix out in 8-10 months.

A fix in the form of updates you have to pay for. Don't forget that.

RE: The difference
By chick0n on 5/11/2010 10:26:13 AM , Rating: 2
Those are FEATURES! You got that ?

Whats wrong with having new bug fixes ... err I mean FEATURES every year or so ?

silly security experts
By magreen on 5/10/2010 5:41:46 PM , Rating: 5
Don't they know every Mac is protected by a reality distortion field?

RE: silly security experts
By dflynchimp on 5/10/2010 7:08:01 PM , Rating: 2
I know right? the bugs and viruses hit the distortion field and BOOM they are suddenly changed into new and improved "magical" features.

RE: silly security experts
By amanojaku on 5/10/2010 7:13:03 PM , Rating: 5
IT Security: Let me see your patch level.
Jobs: [with a small wave of his hand] You don't need to see his patch level.
IT Security: We don't need to see his patch level.
Jobs: These aren't the exploits you're looking for.
IT Security: These aren't the exploits we're looking for.
Jobs: He can go on the 'net.
IT Security: You can go on the 'net.
Jobs: Move along.
IT Security: Move along... move along.

Safari being bundled with iTunes and Quicktime
By vectorm12 on 5/10/2010 7:06:39 PM , Rating: 2
I think the fact that Apple more or less tricks basic users into installing Safari as a part of iTunes and Quicktime is the biggest issue for Win7 users.

I've seen more than a few people install iTunes and without realizing it installing Safari at the same time.

Even if it's not installed it'll still be checked for installation at next iTunes/Quicktime update.

Same issue is present with a lot of software that bundle browserbars and whatnot. For the uninitiated user it's hard to know what you HAVE to install and what the company WANTS you to install.

By bodar on 5/10/2010 9:43:53 PM , Rating: 2
It doesn't force you to use it though, IIRC. Don't get me wrong, I frigging HATE their BS tactics for getting people to install Safari/iTunes with QT, but I don't think it makes itself the default browser. I try to avoid these programs partially for this reason.

By bbomb on 5/10/2010 7:30:33 PM , Rating: 1
...did Homeland Security start posting warnings about exploits? Did they just feel like jumping on the Apple hatin' bandwagon? I haven't looked it up but have they released any warnings about Internet Explorer, Opera, Chrome, or Firefox?

Just seems wierd that they have jumped into, and are spending money on, browser vulnerabilities with all the other security issues the country is dealing with.

We have plenty of tech companies that already do they exact same thing.

By chick0n on 5/11/2010 10:30:18 AM , Rating: 2
That simply means you have no idea how program works in general. It has nothing to do with how windows deal with things.

When you have no idea of something, how about a STFU ?

By drycrust3 on 5/11/2010 4:29:43 AM , Rating: 1
Yes, we had news just this week that Apple have been conducting "free lance testing" of an improved OS which is not only unaffected by this bug, but is believed to have more features than the existing OSX: ANDROID!

This is a windows bug
By Tony Swash on 5/11/10, Rating: -1
RE: This is a windows bug
By Hieyeck on 5/11/2010 7:49:39 AM , Rating: 3
Are YOU the retard Jason was walking about?

RE: This is a windows bug
By MrBlastman on 5/11/2010 8:46:21 AM , Rating: 2
Wow. Sooo avoid the platform that has the most people working on actually FIXING security holes and instead, move to the platform where the people in charge of ever fixing something remain silent at all times and never admit there is a problem... You might never know if something gets fixed.

Yeah, that makes total sense.

The only problem 99% of actual attacks occur on Windows is because the majority of people use Windows. Apple's OS's have far more security holes, you just don't know it yet.

RE: This is a windows bug
By Tony Swash on 5/11/10, Rating: -1
RE: This is a windows bug
By bupkus on 5/11/2010 5:35:35 PM , Rating: 1
I don't think the reason that the mac platform has less malware than windows (by an order of magnitude) is because of market share but even if it was - so what? If you want a computing experience that's free from malware, viruses, trojans and all that sort of crap - get a mac. If you are happy with all the malware shit then stick with Windows. The choice is pretty simple.

If you want a computing experience that's free from malware, viruses, trojans and all that sort of crap - get OS/2 Warp . It also fits your market share model.

"Well, there may be a reason why they call them 'Mac' trucks! Windows machines will not be trucks." -- Microsoft CEO Steve Ballmer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki