backtop


Print 65 comment(s) - last by djtechsupport.. on Aug 6 at 2:05 PM


A recent Secunia study indicated that Apple had the most vulnerabilities of the major tech companies  (Source: Secunia)

Apple's Safari browser happily will fill in your personal info to malicious web forms. This glaring flaw can lead to an unacceptable breach of privacy.  (Source: Jeremiah Grossman)
"It just works." -- Apple slogan

Apple is known for its tendency to deny problems with its popular gadgets, making life miserable for customers when such problems occur.  While Apple's iPhone 4 antenna issues are currently stealing the show, there's perhaps no better example overall than Apple's spotty track record on security.

Security research firm Secunia just released a list of vulnerabilities and Apple for the first has come out on top as the most vulnerable.  Secunia warns, "[The] graph is not an indication of the individual vendors’ security, as it is not possible to compare the vendors based on number of vulnerabilities alone."

Apple's supporters were quick to attack the report.  
AppleInsider writes:

Not all vulnerabilities are equal: Secunia outlines five levels of criticality ranging from minor "not critical" issues to "extremely critical" problems that can result in remote exploits without any interaction from the user, and for which active exploits are already known to exist. Yet Secunia's vulnerability report totals throw all these various types of flaws together into sums that are frequently used for meaningless comparison purposes. 

It's ironic that almost simultaneous to the report another significant security flaw in Safari aired.  Safari -- Apple's browser software -- has oft seen releases so buggy to the point that they were unusable.  Safari 5 certainly offered some improvements in that department, but it apparently doesn't fair particularly better in the security department than past releases, including Safari 4 which had a flaw so severe it prompted a Department Homeland Security warning.

While the latest Safari bug isn't as bad an exploit as some go, considering it's not a route to installing malware, it can result in the theft of your personal info.  It all starts with one of Apple's features in Safari -- autofill.  Different from the standard browser's autofill, which remembers users names and passwords for certain sites, Safari has an even more ambitious autofill which maintains info about a user in their address book card and offers up these details when needed.

Unfortunately, Apple didn't appear to realize that it was necessary to screen what it allows to access this data.  Security researchers revealed that a simple web form can grab much of this data -- first name, last name, work place, city, state, and email address -- no questions asked.

Such info could be used in phishing schemes.  It could also be used in blackmail schemes if the users were visiting naughty websites.  Ultimately, it represents a gross threat to privacy that easily surpasses Apple's recent loss of iPad buyers' email addresses (a problem that was largely carrier AT&T's fault).  Apple was informed of the problem on June 17, 2010, but since has done nothing.

The flaw was discovered by Jeremiah Grossman, founder of WhiteHat Security.

Security problems are hardly something new for Apple though.  The iPhone has increasingly been attacked.  One security researcher suggested its security was so poor that it was "useless" to businesses.  Apple has made some improvements with each release of its iPhone OS, but they didn't stop malicious worms from cropping up in the iPhone 3GS generation.

On the computer side, Apple also has had numerous past issues.  Its weak memory protections in its past two operating systems -- Tiger and Snow Leopard -- have spawned a number of successful attacks.  Worse yet Apple's latest OS -- Snow Leopard -- shipped with an outdated vulnerable version of Adobe Flash.

Apple has made some gains -- its new OS does come with mild antivirus protections (though Apple quietly recommends users purchase dedicated AV software).  And the OS does offer working DEP (data execution prevention), though it ships with a virtually broken address space layout randomization (ASLR) implementation (which rival Microsoft's Windows 7 flawlessly implements).

Ultimately, though what is really killing Apple is its slow patch time.  Apple's "there is no problem" mentality has made it the slowest company at patching, according to recent surveys.  It took it a year to finally last year (June) patch a major Java hole.  Unfortunately, such performance is more the rule than the exception to it.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Yes we know
By mstrmac on 7/25/2010 2:09:26 AM , Rating: -1
Posted by: NotTellinYou on another forum

Is it me or is this article REALLY confusing and is this too WAY overblown like antennagate?

Let's look:

"autofills HTML form text fields with specific attribute names such as "name," "company," "city," and "state."

Isn't this the kind of information we post to any number of blogs, news sites, LinkedIn, and Facebook BY DEFAULT? I mean if someone wanted this information it's out there MANY places for the taking?

"However, the Autofill attack can't obtain data beginning with a number, such as phone numbers or street addresses"

So wouldn't it be easier, and more productive and effective, to just go by any number of complete marketing mailing lists that do include the names, numbers, and complete addresses of millions of people?

"This feature just makes it easier for criminals to do mass collections of information that they can later sell, and compromise your identity," said Rob Enderle, principal analyst at the Enderle Group."

Rob, if that was true, and we could all have our identities compromised by allowing "text fields with specific attribute names such as "name," "company," "city," and "state" wouldn't the same be true with one of the plethora of marketing mailing lists out there and spam email lists? I guess I'm not sure how grabbing this information from Safari would do that when there are, and there have been, other ways to gain this data that are completely legal, for decades that exist?

But then there seems to be confusion by the "experts":

"Other browsers may not be threatened by the Autofill attack. I am not aware of the problem affecting other browsers," ESET's Abrams said. "I believe that Safari is unique in linking to the address book by default."

But then he says:

"Even if users select another browser, such as Firefox, they need to check the default settings, Abrams warned."

So as a concerned reader I'm left wondering which is it? Right? But wait, we're told:

"There's no guarantee that when the next version of Safari comes out, it won't revert to default settings," he pointed out."

So wouldn't that also be true of FireFox?

"Users will never be sure of remaining safe or maintaining their privacy if they do not review their browser settings and change them to enhance security and privacy from the lax default settings the browsers ship with," Abrams remarked."

It's my understanding, from Apple's Safari 101 page that this feature is OFF by default NOT "on". Is that not correct? I mean I could do a clean install to check but the Safari pages details how to TURN IT ON so it would seem it's off by default. Anyone?

"Don't use autofill for information such as passwords, birth dates, Social Security numbers, credit card validation numbers and credit card expiration dates," Enderle said. "If you wouldn't put it on Facebook, it shouldn't be in Autofill."

Well...never mind these things are not stored in the Address book for auto-fill so this statement makes no sense, passwords are in the Keychain, and since the exploit doesn't work with fields beginning with a number it seems these would be the most secure fields of all if they did right?

"April 2009 Patrice Neff wrote some HTML code to conduct an autofill attack that would steal a user's birthdate and posted it on his blog."

So since this no longer works, it's a number, according to the article, did Apple fix that or is it still broken?

Anyway, all in all I'm not happy someone can grab my name city and state, but frankly you can also grab that from any number places and if you want to know that an more you can get any number of lists without me knowing about it anyway! All you need to do is check out my mailbox at Christmas time and see all the junk mail to realize that!

Oh well...carry on!


RE: Yes we know
By dark matter on 7/25/2010 9:53:03 AM , Rating: 3
Nice dialogue, doesn't excuse Apple though.


"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki