[SecurityRatty] tag: safari

Google powers Safari's new antifraud warnings

Mon, 17 Nov 2008 02:00:00 +0000

Google's blacklist appears to power the antiphishing tool Apple added to its Safari browser just last week, links in the new warning indicate.

Apple plays catch-up, ads anti-fraud safeguard to Safari

Fri, 14 Nov 2008 02:00:00 +0000

In an update to its Safari Web browser, Apple on Thursday patched several security flaws and added anti-phishing protection -- making it the last major browser to receive the feature that blocks known identity-stealing sites.

Apple plays catch-up, adds anti-fraud safeguard to Safari

Thu, 13 Nov 2008 21:00:00 +0000

Apple Friday added anti-phishing protection to Safari, the last major browser to receive the feature that blocks known identity-stealing sites. The company also patched 11 security bugs in the program, the bulk of them specific to the Microsoft Windows version.

Researchers discover new cross-browser exploit that affects all major desktop platforms

Fri, 26 Sep 2008 21:11:29 +0000

Researchers are beginning to raise an alarm for what looks like a new browser security threat that affects all major desktop platforms: Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and [...]

SDL and the XSS Filter, Revisited

Mon, 08 Sep 2008 16:18:00 +0000

Bryan here. Since Steve called me out in his post on the XSS Filter last week, I feel obligated to clarify my position. ☺ I believe that the SDL blog is mainly for development teams; after all, development is the D in SDL. Now, development teams are made up of more than just developers. Development teams include everyone involved in the development process from management on down. But development teams don’t include end users. While XSS Filter is a great, innovative XSS defense technology, there’s really nothing that development teams can do to take advantage of it. Users alone make the decision as to whether they’re going to take advantage of XSS Filter: they either use IE8 and get it, or they use another browser and don’t get it.

That being said, there are some interesting implications that XSS Filter and other user-specified defenses have for the SDL. Given that XSS Filter is effective in stopping many types of reflected XSS attacks, should we relax the SDL coding and testing requirements around server-side XSS defense? Of course not. For one reason, the SDL requirements are effective in preventing forms of XSS that XSS Filter does not address, like persistent XSS. For another, not everyone uses IE 8. If we were to relax server-side requirements now, we would jeopardize IE 7 users, as well as Firefox, Safari, Opera, Chrome, and all the other browsers’ users.

But what if these conditions change? What if David and others on the security science team develop a new version of XSS Filter that’s effective against all forms of XSS? And what if all the browser manufacturers develop similar technology and implement it in their browsers? (Or alternatively, what if every user on the planet switches to IE 8? ☺) Then would we relax the server-side XSS defense requirements? Yes, we probably would.

I’ve always been more of a security pragmatist than a security purist. While the security purist in me would want to keep the requirements around to prevent developers from falling back into bad habits, the security pragmatist in me would recognize that development teams have a limited amount of bandwidth, and making them defend against rare, obscure vulnerabilities is a poor use of their time. Unfortunately, we’re not likely to face this scenario any time in the near future, so the SDL will continue to require server-side input validation and output encoding to prevent XSS attacks.

We now return you to your regularly scheduled development-focused blog.

Summarizing Zero Day's Posts for August

Thu, 04 Sep 2008 03:40:10 +0000

Here's a concise summary of all of my posts at Zero Day for August. If interested, consider going through July's summary, subscribe yourself to my personal feed, or Zero Day's main feed, and stay informed.

Some of the notable articles are - Today's assignment : Coding an undetectable malware ; Coordinated Russia vs Georgia cyber attack in progress and Inside India's CAPTCHA solving economy.

01. Cuil's stance on privacy - "We have no idea who you are"
02. Phishers increasingly scamming other phishers
03. Today's assignment : Coding an undetectable malware
04. Consumer Reports urges Mac users to dump Safari, cites lack of phishing protection
05. Fake CNN news items malware campaign spreading rapidly
06. CNET's Clientside developer blog serving Adobe Flash exploits
07. Coordinated Russia vs Georgia cyber attack in progress
08. Researcher discovers Nokia S40 security vulnerabilities, demands 20,000 euros to release details
09. Intel proactively fixes security flaws in its chips
10. 1.5m spam emails sent from compromised University accounts
11. Fortune 500 companies use of email spoofing countermeasures declining
12. China busts hacking ring, managed to penetrate 10 gov't databases
13. Scammers caught backdooring chip and PIN terminals
14. SpamZa - opt in spamming service fighting to remain online
15. FEMA's PBX network hacked, over 400 calls made to the Middle East
16. Typosquatting the U.S presidential election - a security risk?
17. Hundreds of Dutch web sites hacked by Islamic hackers
18. Twitter's "me too" anti-spam strategy
19. Malware detected at the International Space Station
20. Taiwan busts hacking ring, 50 million personal records compromised
21. MSN Norway serving Flash exploits through malvertising
22. Inside India's CAPTCHA solving economy

Google's New Browser

Wed, 03 Sep 2008 06:59:00 +0000

So, Google have released a new browser called Chrome...

What does that mean from an Information Security perspective?

Not very much and a lot, depending if you are looking at the short term or long term.

So, lets get into the short term - there is a new browser. It will have bugs and vulnerabilities. These will be exploited.

Most of the browser is based on webkit which is sorta what kde uses and sorta what safari uses and sorta what a number of cell phones use. It is becoming browser number 4 after IE, mozilla/firefox and opera. This means that hackers (online criminals) will start to notice the browser (if they haven't already). Assuming that the open source promise (many eyes make fewer bugs) stands true and that Google will be quick with patches then this is merely part of the daily application vulnerability race. And if Google is quick with paches then this browser should not be any more unsafe than the others.

There are a few extra security features in this browser - that is always a good thing. For more information read here. Of course the feature that is most interesting - "each-tab-running-separately" has been compromised.

So short term - move along, nothing to see here. Lets move on to the long term...

What is most important in my mind for the long term is the "why" of this browser - why would Google want to jump into a market where they can't be the biggest or the best or even a very effective niche player? Especially since they have a good relationship with Firefox and their product is almost entirely webkit? And their browser is essentially all open source so all the good bits will be analysed and added to Firefox anyhow or improved upon and added to Firefox.

The answer is simple - Google want their browser to fail.

Huh?

Well, that may a bit unfair but they really don't care either way.

Google is the search engine leader. They are also slowly becoming the Internet. This blog is hosted by Google, its feed is hosted by Google. If I need to host video, pictures, sound etc then I would probably choose Google - they are really good at hosting and why bother looking elsewhere when I already have a Google account?

So, almost all of my public information is hosted by Google. What about my private information?

Well... no.

That is all stored safely on my laptop for four reasons -

I don't trust Google.
I don't trust the Internet.
The tools for creating private documents are so much better than the online ones.
I can get to my documents when I am offline.
The Internet is too slow.

But a lot of my computer day is spent in Microsoft Office. That is a lot of advertising opportunity lost. And if Google can access my personal files then they will have a better idea of what adverts to send my way. Which in turn will make their advertisers happier and Google stock go up.

And all it would take is sorting out the above 5 points.

I was going to go into each one but this post is already getting quite long. Just note that the three features that are most important in Chrome are:

Security and stability
Offline application mode
Fast running and standards based application engine

In other words - helping making it easier to use Google's online applications. Most of the factors are going to be taken care of with Chrome and its kids.

What will happen is that Firefox will catch up with Chrome but Google won't care what you use to access their online applications - just as long as you access them. And that is their game plan.

What this leaves is the final question - all things being equal - is your information more at risk on Google's servers or on you laptop at home?

That is a good question but one we should be looking at.

Chrome, Safari And Selt-Signed Certificates

Wed, 03 Sep 2008 05:10:29 +0000

I ran a column a couple weeks back about browsers and how they handle unsigned certificates. How does Chrome handle them? For that matter, how does Safari handle them, since I forgot to include it in that column? Chrome, at first, is much like IE7; it puts up an impossible-to-miss warning but lets you continue past it: Then if you do continue, like Firefox, it keeps a warning present in the address bar. Neat. Safari is much like IE7: It pops up warning dialog box: But when you choose Continue it continues with no visible indicator that anything is different.

Carpet-bombing Vulnerability In Google Chrome New Browser

Tue, 02 Sep 2008 18:41:12 +0000

Hours after the release of Google Chrome, researcher Aviv Raff discovered that he could combine two vulnerabilities, a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference, to trick users into launching executables directly from the browser window. A harmless proof-of-concept demo of the attack is available. In the [...]

Mac users are advised not to use Safari by Consumer Reports

Wed, 06 Aug 2008 18:26:29 +0000

According to this year’s State of the Net survey, Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple’s Safari, has no phishing protection. Consumer Reports [...]