Homeland Security Warns About Latest Dangerous Apple Browser Bug
May 10, 2010 5:20 PM
comment(s) - last by
Apple, which perpetually makes fun of Microsoft's Windows for being "buggy" and "virus prone" is yet again endangering its users with lax security and poorly written code.
This time Apple's latest security woe is a "highly critical" flaw in its Safari browser; and Apple is yet again silent on the issue.
Cyberthieves can use the vulnerability to execute arbitrary code, steal information
when it comes to security has yet again come back to bite it. This time Danish security research firm Secunia
yet another vulnerability in the web browser Safari, which they billed as "highly critical" -- their most serious rating.
Secondary confirmation of the bug came from the United States Computer Emergency Readiness Team (US-CERT) (part of the U.S. Department of Homeland Security), which
an advisory after Polish researcher Krystian Kloskowski disclosed the bug on Friday.
The bug exploits Apple's
of code that handle's the browser's parent windows. According to Secunia, "This can be exploited to execute arbitrary code when a user visits a specially-crafted Web page and closes opened pop-up windows."
US-CERT adds that HTML email opened in webmail services such as Gmail or Windows Live Hotmail may also exploit the flaw. By compromising the operating system, hackers are free to log user information (such as credit cards or personal contacts) and install malware to accomplish a host of evils.
The flaw works in Windows 7 on the latest version of Safari 4 (4.0.5). "Other versions may also be affected" according to US-CERT -- so OS X users of Safari aren't off the hook yet. Charlie Miller, noted Mac hacker and security expert was not available to verify whether the bug existed in OS X. He's on vacation after hacking Safari and
earning $10,000 in loot
in March at the Pwn2Own contest.
Miller has stated that Macs and Apple software are often easier to hack than PCs and Windows software. Overall there's been relatively little interest in hacking Macs or Apple products, but what little attention there has been has revealed a host of security flaws. Apple patched 16 flaws in Safari in mid-March -- including 10 that affected OS X. Miller's exploit was among those flaws fixed.
Many security experts have criticized Apple's lax stance on security and poorly implemented products. Charlie Miller
Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.
Mac researcher Dino Dai Zovi
once put it
There is no magic fairy dust protecting Macs. Writing exploits for [Microsoft] Vista is hard work. Writing exploits for Mac is a lot of fun.
This article is over a month old, voting and posting comments is disabled
5/10/2010 7:08:19 PM
No, UAC pops up when something requires privileges higher than the current user privileges. This means that any administrator task would need permission no matter what. There is no way to "white-list" an application or give it permissions before-hand. It's likely that code that has been executed by this exploit did not require any admin privs at all. (Not all malware requires admin in order to accomplish their goals).
One could easily create a keyboard hook and use a keylogger without admin privs, and if the code is executed through the safari process, it likely already has firewall privs to bypass it and send back the data. That is just one example, and many other tasks like reading registry keys are more examples (assuming the registry keys have read permission by the current user)
5/11/2010 4:26:54 PM
Never mind the fact that most people seem to blindly click the "get out of my way" button on UAC messages.
"If you look at the last five years, if you look at what major innovations have occurred in computing technology, every single one of them came from AMD. Not a single innovation came from Intel." -- AMD CEO Hector Ruiz in 2007
Charlie Miller to Unveil 20 Zero-day OS X Exploits at CanSecWest
March 19, 2010, 9:55 AM
Another Major Mac Computer Security Flaw Discovered
July 30, 2009, 10:52 AM
Mac Gets The Girl In New Anti-Microsoft Ad
May 13, 2009, 9:33 AM
Safari Plagued By Bugs, Accidental Violation Of Its Own EULA
March 27, 2008, 1:03 PM
Target Data Breach Compromises 40 Million Customer Credit/Debit Cards
December 19, 2013, 12:06 PM
Netflix to Stream House of Cards in 4K via HEVC H.265 Compression
December 19, 2013, 11:38 AM
Overzealous Porn Filters in the UK Block Educational Sites
December 19, 2013, 10:30 AM
Hulu to Hit $1 Billion in Revenue by End of Year
December 18, 2013, 1:35 PM
Harvard Undergrad Busted by Wi-Fi after Making Bomb Threat to Avoid Finals
December 18, 2013, 10:37 AM
San Francisco's Market Street Receives Free Outdoor Wi-Fi
December 17, 2013, 11:14 AM
Most Popular Articles
China's Lunar Rover Enters Orbit, Prepares for Historic Sat. Landing
December 13, 2013, 5:00 PM
Ten Senators Sponsor Bill to Scrap Corn Ethanol Market Manipulation
December 13, 2013, 1:52 PM
China's Moon Rover Lands Safe and Sound, Starts Snapping Pics
December 16, 2013, 1:22 PM
Metro-Enabled Firefox Browser Expected to Land After Two Years of Work
December 12, 2013, 5:21 PM
Top Microsoft Graphics Genius Defects to Google
December 17, 2013, 4:27 PM
Latest Blog Posts
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
Global Cyber Espionage Concerns Reveal Growing Cyber Armies
Nov 29, 2013, 11:04 AM
Is The Period Becoming an Expression of Anger?
Nov 26, 2013, 2:02 PM
NSA and Congress -- You Will Never Kill the Constitution, It's an Idea
Nov 10, 2013, 2:00 PM
AT&T Explores $100B+ USD Deal to Acquire Vodafone's European Operations
Nov 4, 2013, 7:34 AM
More Blog Posts
Copyright 2013 DailyTech LLC. -
Terms, Conditions & Privacy Information