Print 40 comment(s) - last by bupkus.. on May 11 at 5:35 PM

Apple, which perpetually makes fun of Microsoft's Windows for being "buggy" and "virus prone" is yet again endangering its users with lax security and poorly written code.  (Source: Apple)

This time Apple's latest security woe is a "highly critical" flaw in its Safari browser; and Apple is yet again silent on the issue.
Cyberthieves can use the vulnerability to execute arbitrary code, steal information

Apple's arrogant air when it comes to security has yet again come back to bite it.  This time Danish security research firm Secunia discovered yet another vulnerability in the web browser Safari, which they billed as "highly critical" -- their most serious rating.

Secondary confirmation of the bug came from the United States Computer Emergency Readiness Team (US-CERT) (part of the U.S. Department of Homeland Security), which issued an advisory after Polish researcher Krystian Kloskowski disclosed the bug on Friday.

The bug exploits Apple's poor implementation of code that handle's the browser's parent windows.  According to Secunia, "This can be exploited to execute arbitrary code when a user visits a specially-crafted Web page and closes opened pop-up windows."

US-CERT adds that HTML email opened in webmail services such as Gmail or Windows Live Hotmail may also exploit the flaw.  By compromising the operating system, hackers are free to log user information (such as credit cards or personal contacts) and install malware to accomplish a host of evils.

The flaw works in Windows 7 on the latest version of Safari 4 (4.0.5).  "Other versions may also be affected" according to US-CERT -- so OS X users of Safari aren't off the hook yet.  Charlie Miller, noted Mac hacker and security expert was not available to verify whether the bug existed in OS X.  He's on vacation after hacking Safari and earning $10,000 in loot in March at the Pwn2Own contest.

Miller has stated that Macs and Apple software are often easier to hack than PCs and Windows software.  Overall there's been relatively little interest in hacking Macs or Apple products, but what little attention there has been has revealed a host of security flaws.  Apple patched 16 flaws in Safari in mid-March -- including 10 that affected OS X.  Miller's exploit was among those flaws fixed.

Apple is keeping quiet on the latest danger to its customers -- its usual response to such security dangers.  Security experts at US-CERT and Secunia are providing Safari users with some sound advice for now at least -- don't open untrusted HTML emails, and disable JavaScript except on trusted sites.

Many security experts have criticized Apple's lax stance on security and poorly implemented products.  Charlie Miller states, "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."

Or as Mac researcher Dino Dai Zovi once put it, "There is no magic fairy dust protecting Macs.  Writing exploits for [Microsoft] Vista is hard work. Writing exploits for Mac is a lot of fun."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Safari
By carniver on 5/10/2010 5:58:43 PM , Rating: 2
Safari is one of the choices on the ballot screen shipped with the European version of Windows 7. Those who love Apple but got a PC for budget constraints may actually pick it.

Though the next question is, why didn't UAC prevent this hack? Isn't Windows 7 supposed to be secured from this type of attack?

RE: Safari
By HrilL on 5/10/2010 6:09:47 PM , Rating: 5
Most likely because you gave Safari access to make changes to your system when you installed it. UAC pretty much only happens when you want to install something or run an update like for Java.

RE: Safari
By inighthawki on 5/10/2010 7:08:19 PM , Rating: 3
No, UAC pops up when something requires privileges higher than the current user privileges. This means that any administrator task would need permission no matter what. There is no way to "white-list" an application or give it permissions before-hand. It's likely that code that has been executed by this exploit did not require any admin privs at all. (Not all malware requires admin in order to accomplish their goals).

One could easily create a keyboard hook and use a keylogger without admin privs, and if the code is executed through the safari process, it likely already has firewall privs to bypass it and send back the data. That is just one example, and many other tasks like reading registry keys are more examples (assuming the registry keys have read permission by the current user)

RE: Safari
By seamonkey79 on 5/11/2010 4:26:54 PM , Rating: 2
Never mind the fact that most people seem to blindly click the "get out of my way" button on UAC messages.

RE: Safari
By damianrobertjones on 5/10/2010 6:26:57 PM , Rating: 3
The next question is...

Why are people running as admin in the first place? Agggggghhhhhhhh

RE: Safari
By MrBlastman on 5/11/2010 7:54:38 AM , Rating: 2
Yeah! There's an idea. Let's buy a perfectly good PC and then go and install crappy Apple software just so we can ruin it! :(

"This is from the It's a science website." -- Rush Limbaugh

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki