Apple's Safari browser is likely to be compromised multiple times at an annual hacking contest being held later this month because it's "easy pickins as usual," a researcher specializing in Apple security says. Charlie Miller, the white-hat hacker who successfully felled a MacBook Air at last year's Pwn2Own competition, predicts …
Love these contests
I personally love these kinds of events. These are the kinds of people that can expose serious but potentially downplayed or even unknown (for what ever reason) vulnerabilities. The more we know about the flaws in the systems we all use on a daily basis the better off we are and that goes for what ever platform or applications you choose to use. I'm looking forward to the results.
Seconded, though I can't help a little giggle at the though of the Mac being owned and not the PC ;-p
Can we have a humble pie/hat eating icon plz?
Kind of odd though
Don't get me wrong, I'm sure Apple software is vulnerable, it just seems odd that the unit of measure used by this article is the number of people that another person thinks are likely to use vulnerabilities at a hacking conference.
XP or Vista?
Whichever it is, if Safari doesn't take the dubious honour of being the first to fall, Windows most probably will.
Wait and see.
I have heard bad things about Safari and I know that they have been busted before. Wait and see. I can't believe Microsoft can put out a secure product. The only thing have done right is Excel.
I gave my sister a Mac because even with anti-virus software and automatic updates turned on there is so much crap on her PC that it is unusable.
cunning. but does that mean you can't pass pointers to functions or do functional programming?
"Within hours of Safari's debut in June of 2007, security researchers discovered multiple vulnerabilities that could allow attackers to remotely install malware on the machines of people who used the beta. "
Do you mean safari's 3.0 debut? Safari has been out for many years now.
For starters, remove the anti-virus software. That's the biggest piece of crap that's making it unusable.... Uhh, you are talking about that Mac aren't you?
At lease there's not a booby prize like last year: Fujitsu U810 loaded with Vista.
They hammered away at the Sony - that would be a double score, but opted for the $5000. Oh well, $5k would go to buying a nice laptop.
"One track will pit hackers against the major browsers, including Safari, Internet Explorer, and Firefox."
What? No Opera? I wish they include it.
Effects of Protected Heap on Legitimate Applications
"cunning. but does that mean you can't pass pointers to functions or do functional programming?"
Sure you can pass pointers to functions, as long as the functions are not on the heap. The pointer is not executed, only the thing it points to.
For functional programming, or in general for any language implementation that generates and runs code on the fly, which includes things like Java JITs, the operating systems provide a system call that removes the no-execute protection from a region of memory. This does not really weaken the protection, since to execute the remove-protection call, the attacker must already be able to make some attack code to execute, so he would already have broken through.
@wayne tavitt - you tit
Er this quote
"but does that mean you can't pass pointers to functions or do functional programming?"
is the stupidest thing I have ever read! Honestly what was that supposed to mean?!?!? A word of advice, if you don't know about these things, then please don't comment on them. Reading that comment made so angry that I punched my cat.
RE: XP or Vista
"Whichever it is, if Safari doesn't take the dubious honour of being the first to fall, Windows most probably will."
Last year, Vista only fell because of a hole in Flash.
Excel "done right" ? As someone who enjoys tracing their family tree, I can assure that the mess Excel makes of older dates doesn't allow it the label "right". I have to use an extended date add-in to correct the bug.
is a major browser? I thought it was still in beta. The major variants of IE would be 6 and 7 with possibly a few 5s left in the world.
Of course the current variants of IE have about as many holes as a gill net.
A query, if Safari is based on the Konqueror rendering engine, how come Konqueror does not seem to have all of these discovered weaknesses?
RE: XP or Vista
Errr… don’t you mean Safari vs IE? In which case you’d need to specify which Safari (3?) vs which IE (8?)… I believe IE7 was flawed from a security point of view, but IE8 is meant to fix most of these problems. I say “believe” and “meant” as little blue is gone from my machines, apart from world which seems to run IE6, but I did hear rumours that XP SP2 is coming soon here!!!
Perhaps you should stop trying to force a spreadsheet to do a databases job?
Predictions=talking out of your ass?
He may be right, but it seems that predictions in general are usually about as accurate as Bill G's famous "640K ought to be enough for anyone" quote.
"I gave my sister a Mac because even with anti-virus software and automatic updates turned on there is so much crap on her PC that it is unusable."
You do know that the crap would be stuff she installed herself and most likely clicked "ok" repeatidly on. Just as she will do on the mac right.
I, of course, meant "work" instead of "world" in that gibberish I just posted.
@Predictions=talking out of your ass?
``He may be right, but it seems that predictions in general are usually about as accurate as Bill G's famous "640K ought to be enough for anyone" quote.''
much as I hate Billy G (I'm a rabid linux zealot), that quote is a fucking urban legend. He never actually said it. Do some research next time ple ase.
Perhaps the general public should not be expected to learn about databases when all they need is a simple spreadsheet function. It doesn't excuse the bug anyway.
Apple Safari Security Issue
A couple hours ago I posted a short message on the Windows itunes forum board with a link to an article similar to this one concerning the Safari security issue. Within thirty minutes or less I received the following e-mail message:
(Big Mouth Barker),
Apple removed your post on Apple Discussions, titled "Heads up everybody regarding Safari," because it contained the following:
* Off-topic or non-technical posts
We are including a copy of your post at the end of this email for your reference.
If you would like to send feedback to Apple about a product, please use the appropriate selection here: http://www.apple.com/feedback
As part of submitting feedback, please read the Unsolicited Idea Submission Policy linked to the feedback page.
Apple Discussions staff
A copy of your message for reference:
Security Issues. Must read article.
Issue No 1: Talk about double standards from Apple. Keep the following in mind when considering this issue: When I installed the iTunes desktop player Safari was not present nor did I want to download the browser. I tried it once and I realized from the getgo that this browser was going to be trouble. So I immediately removed it from my system. In this case, the iTunes player is downloading the browser for setup through the automatic updater. I feel that the subject matter that I posted on the forum was very relevant since it was being downloaded by the desktop player. It appears by the links that was provided in the e-mail that Apple does not like to hear critics talking about their products. Also, in their lack of response to the security issues by Apple, it also seem like they do not care about anything but profit.
Issue No 2: The iTunes Desktop Player may also have security issues as well. In the past couple of days I found the following entry in my DNS Cache Table:
C:\WhosIP\whosip>whosip -r 188.8.131.52
WHOIS Source: RIPE NCC
IP Address: 184.108.40.206
Country: EU # Country is really world wide
Network Name: EU-ZZ-151
Owner Name: Various Registries
From IP: 220.127.116.11
To IP: 18.104.22.168
Contact Name: Internet Assigned Numbers Authority
Address: see http://www.iana.org.
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Information related to '22.214.171.124 - 126.96.36.199'
inetnum: 188.8.131.52 - 184.108.40.206
descr: Various Registries
country: EU # Country is really world wide
remarks: These addresses were issued by
The IANA before the formation of
Regional Internet Registries.
status: ALLOCATED UNSPECIFIED
changed: email@example.com 20030502
changed: firstname.lastname@example.org 20030621
changed: email@example.com 20050202
org-name: RIPE NCC
address: RIPE Network Coordination Centre
address: P.O. Box 10096
address: 1001 EB Amsterdam
address: The Netherlands
phone: +31 20 535 4444
fax-no: +31 20 535 4445
changed: firstname.lastname@example.org 20040417
changed: email@example.com 20070319
role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
changed: firstname.lastname@example.org 20010411
I take security very seriously by keeping a close eye on my Host File as well as the DNS Table. The only program running at the time of this discovery was iTunes and I had not sufred the web when I descovered the entry. The following message was with the IP entry: “Scan iTunes”. In my view I believe it is time to form a coalition to approach iTunes and flat out tell them that they should pull these products with security issues if they are not going to do anything about it.
Big Mouth Barker
"Perhaps you should stop trying to force a spreadsheet to do a databases job?"
Especially since there is several freeware Genealogy software available which use the standard GED format for their files. Not to mention the plethora of on-line sites which offer the same service.
(wife recently decided to dive into genealogy. I learnt more than I wanted)
@Paul - RE:RE:(untitled) (Redux)
And since when is a family tree a job that requires a database? This would seem an ideal application for a spreadsheet. Or are you one of these idiots who think that the recent mania for applications to store data and settings as XML in MySQL or SQLite databases is actually a good idea?
Addendum to my previous ranty comment.
I've just reread my last comment and it sounds rather pillocky. By "applications" I actually meant random desktop applications. Believe it or not, I fully endorse business applications responsibly storing data in a properly set up database.
Because, while they don't mind a few low-hanging fruit, allowing windfalls to participate would make things a tad too easy.
Viz: Opera security related articles here recently.
Jeeves? Lay out my flameproof vest, I'm expecting some Opera fanbois for tea.
Seems odd the iPhone has a non-executable heap where Safari can't, or am I missing something?
- Mounties get their man: Heartbleed hacker suspect, 19, CUFFED
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Feast your PUNY eyes on highest resolution phone display EVER
- Wall St's DROOLING as Twitter GULPS DOWN analytics firm Gnip