Safari 3.1 For Windows Vulnerable To Hacks

The new Safari 3.1 for Windows has been hit with two ‘highly critical’(as rated by Secunia) vulnerabilities that can result in execution of arbitrary code. The first is due to an improper handling of the buffer for long filenames of files being downloaded, and the second can result in successful spoofing of websites and phishing. This comes close on the heels of criticism of Apple for offering Safari as a update for approximately 500 million users of iTunes on Windows by default, and reports of crashes. There are currently no patches or workarounds available except the advice to stay clear of ‘untrusted’ sites."

http://apple.slashdot.org/article.pl?no_d2=1&sid=08/03/27/129236

Be Careful out there.

There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites."
Not using Safari would also cure this problem. :)

All Web Browsers Have Vulnerabilities. So Not Using the internet Would cure the problem

Safari on the mac usually gets periodic Updates to correct things like this as part of apples “Security Update 2008-xxx” patches. Id imagine they will do the same for the windows version through the Software Update Program.

So No using the internet would cure the problem
Mac that's not an acceptable alternative. That would be the same as saying if you never get born then you don't have to worry about dieing ;D

Safari Illegal to Use on Windows? http://www.theregister.co.uk/2008/03/26/apple_safari_eula_paradox/ then
http://www.theregister.co.uk/2008/03/27/apple_updates_safari_eula/
After all that talk about Apple pushing the Safari “update” on Windows users (here and here), as it turns out, it’s actually “illegal” for Windows users to install it! Read the first sentence in the image below and you’ll see what I mean:

It very clearly reads in Apple’s License Agreement which you have to agree to before downloading Safari, that “This License allows you to install and use one copy of the Apple Software on a single Apple-labeled computer at a time.” The last time I checked, my Dell computer had no Apple label to be found on it! It looks like Apple needs to take some time to review all of their agreements now that they’re branching out and offering software to Windows users.

What’s even more funny is that when the License Agreement pops-up, it warns to read it carefully. Well, by reading it carefully it was discovered that PC users really aren’t supposed to be using it! It says in big bold/all caps:

PLEASE READ THIS SOFTWARE LICENSE AGREEMENT (”LICENSE”) CAREFULLY BEFORE USING THE APPLE SOFTWARE. BY USING THE APPLE SOFTWARE, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE, DO NOT USE THE SOFTWARE.

Maybe Apple is pushing Safari so hard because they’ll threaten all of the Windows users later on that they must switch to a Mac or face being sued? It looks like us software users aren’t the only ones that don’t read the agreement, apparently those who write it don’t read it either. This was clearly an oversight by Apple, and we imagine it’ll be fixed soon.

click on pic to enlarge ::slight_smile:

i’m glad that safari is now legal to use on windows cause’ i use it on my work mac and it’s turning out to be a great browser :slight_smile:

You’re not wrong there!

[b]MacBook Air falls in two minutes at PWN 2 OWN[/b]
According to sources at the conference, Miller used an exploit against the Safari browser that ships standard with Mac OS X. Details of the vulnerability and the attack vector are now the property of TippingPoint’s ZDI (Zero Day Initiative), the sponsor of the Pwn2Own challenge.

pwned. (Quite literally, as Miller takes the laptop home now.)

http://blogs.zdnet.com/security/?p=984

Same story here:

http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html

Obviously ZDNET fails to mention this part:

By late Thursday, Apple engineers were already working on patching the issue, said Aaron Portnoy, a TippingPoint researcher who is one of the contest's judges.

That’s where the difference is…

Also:

[b]Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network[/b], but on Thursday t[b]he rules were relaxed[/b] so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.
The MacBook was the only system to be hacked by Thursday, however, the word on the show floor is that the [b]Linux and Vista systems will meet with some serious challenges on Friday[/b].

All this really proves is that there is no such thing as 100% safe anything.

It’s still up to the user which computer to buy and what software to run.
Sooner or later, even the best of us will get caught by a new malware infection. :cry:
Keep your guard up and your back-ups handy. ;D

Browser Exploit, not a flaw in the OS. And as Sasha pointed out even the browser exploit will be quickly patched.

Hi bob3160,

I have the strong impression that this is not necessary, and if you get infected it means a. your practices were insecure, b. your luck was out big time.
If you have adequate updated fully patched software, taken measures to reduce the risk of infections, like broad theater scanning solutions for av-af-as-ark, together with a normal user account, a NoScript solution on FF or symantec’s NoScript in IE, and you have the security experience to stay away from where malware infestors may hide or made yourself invulnerable to them, you need not be infested with malware in the broadest sense of the word (no tracking cookies even), use hjt crap cleaning and other knowledgeable means. I am proof of it since I became more involved in malware cleansing and knew more ways to protect myself “from visiting this forum frequently” I had 0 malware on my box, two FP’s but that could be taken into account,
and this for several years where malware numbers doubled every year,

polonus

I seem to remember you saying the same thing back in '06, Bob, when all those holes were appearing in IE6.

I still haven’t been ‘caught’ browsing with Firefox or Opera. I don’t agree with the ‘sooner or later’ idea: if you’re going to get caught, it’ll be using an application with poor security, one that doesn’t update quickly, or an unpatched and vulnerable version of an application.

Although Safari may be patched quickly, it’s worrying that it was hacked so easily. Also worrying is that it seems to suffer from problems that IE had several years ago:

Windows users may hope Safari doesn't share as much binary code between versions as it does licensing restrictions. In any event, last week's discovery that the latest version for Windows was susceptible to a simple page frame spoof may not be considered a "system compromise," though security firm Secunia saw fit to catalog it as "highly critical."

The code for this JavaScript-based exploit was made public, though there’s not much surprising or innovative about it: It’s the same kind of page spoofing problem that plagued Microsoft Internet Explorer over three years ago. Essentially it enables the creation of a browser frame that says its contents come from a URL but in fact derive from a separate JavaScript element that runs unchecked.

http://www.betanews.com/article/Newest_Safari_browsers_find_themselves_shooting_gallery_targets/1206719993

[Sarcasm mode on]

A web browser that has security flaws, the walls of reality are falling down! ::slight_smile: ;D

[Sarcasm mode off]

Seriously now, it will most likely be fixed soon and its not that worrying that it was “hacked” so easily, nothing made by humans will ever be “unhackable”, apple still does make good software (although i admit its a little intrusive at times) and I still got confidence in it.
I must confess i having tried to new safari browser on windows yet though due to other software I’m playing around with other software currently etc.

Also i would like to say i agree polonus here, safe browsing habits should stop most of these exploits from becoming a reality here.

–lee

"It's one thing to find a vulnerability, it's another thing to make working exploit code," said Terri Forslof, TippingPoint's Manager of Security Response.

http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html

This is the view I’ve always taken.

Isn’t this exactly the same link I posted little bit earlier in this same thread?
http://forum.avast.com/index.php?topic=34148.msg286020#msg286020

That’s probably where I noticed it. Getting old, I’m afraid. Memory going…

Ubuntu is the winner … ;D

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up

Flash vulnerability on Vista. ::slight_smile:

Quote from: bob3160 on Yesterday at 04:50:20 PM All this really proves is that there is no such thing as 100% safe anything.

It’s still up to the user which computer to buy and what software to run.
Sooner or later, even the best of us will get caught by a new malware infection. Cry
Keep your guard up and your back-ups handy. Grin

I seem to remember you saying the same thing back in '06, Bob, when all those holes were appearing in IE6.
Frank, I didn't notice any hackers going on vacation since 06 ??? ;D

If anything, the amount of attacks against all systems have increased since 06 making increased security
even more vital today than ever before.

Sooner or later, even the best of us will get caught by a new malware infection.
I didn't notice any hackers going on vacation since 06

I think you missed my point, which was that I’m still waiting to get caught as you promised. The increasing number of attacks just makes me further doubt the notion that ‘there is no such thing as 100% safe anything,’ and that browsers are much of a muchness when it comes to security.