Homeland Security Warns About Latest Dangerous Apple Browser Bug

[Nibiru2012]

From: DailyTech.com

May 10, 2010 5:20 PM

Apple, which perpetually makes fun of Microsoft's Windows for being "buggy" and "virus prone" is yet again endangering its users with lax security and poorly written code. (Source: Apple)
​

This time Apple's latest security woe is a "highly critical" flaw in its Safari browser; and Apple is yet again silent on the issue.

Cyberthieves can use the vulnerability to execute arbitrary code, steal information

Apple's arrogant air when it comes to security has yet again come back to bite it. This time Danish security research firm Secunia discovered yet another vulnerability in the web browser Safari, which they billed as "highly critical" -- their most serious rating.

Secondary confirmation of the bug came from the United States Computer Emergency Readiness Team (US-CERT) (part of the U.S. Department of Homeland Security), which issued an advisory after Polish researcher Krystian Kloskowski disclosed the bug on Friday.

The bug exploits Apple's poor implementation of code that handle's the browser's parent windows. According to Secunia, "This can be exploited to execute arbitrary code when a user visits a specially-crafted Web page and closes opened pop-up windows."

US-CERT adds that HTML email opened in webmail services such as Gmail or Windows Live Hotmail may also exploit the flaw. By compromising the operating system, hackers are free to log user information (such as credit cards or personal contacts) and install malware to accomplish a host of evils.

The flaw works in Windows 7 on the latest version of Safari 4 (4.0.5). "Other versions may also be affected" according to US-CERT -- so OS X users of Safari aren't off the hook yet. Charlie Miller, noted Mac hacker and security expert was not available to verify whether the bug existed in OS X. He's on vacation after hacking Safari and earning $10,000 in loot in March at the Pwn2Own contest.

Miller has stated that Macs and Apple software are often easier to hack than PCs and Windows software. Overall there's been relatively little interest in hacking Macs or Apple products, but what little attention there has been has revealed a host of security flaws. Apple patched 16 flaws in Safari in mid-March -- including 10 that affected OS X. Miller's exploit was among those flaws fixed.

Apple is keeping quiet on the latest danger to its customers -- its usual response to such security dangers. Security experts at US-CERT and Secunia are providing Safari users with some sound advice for now at least -- don't open untrusted HTML emails, and disable JavaScript except on trusted sites.

Many security experts have criticized Apple's lax stance on security and poorly implemented products. Charlie Miller states, "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."

Or as Mac researcher Dino Dai Zovi once put it, "There is no magic fairy dust protecting Macs. Writing exploits for [Microsoft] Vista is hard work. Writing exploits for Mac is a lot of fun."

SOURCE


My Personal Note:
I have found this article to be extremely interesting to say the least!
​

 

[catilley1092]

It's about time flaws are being discovered in Apple's software. Users who spends a minimum of $1,100 for a standard sized laptop, which happens to be their rot-gut line of products (the bottom of the bucket), all the way to $5,000 or more, are now finally getting their share of what the other brands has gotten. No one is immune to remote code execution, as some Windows & Linux users knows firsthand.

Honestly, it's baffled me for a long time as to why more shots aren't being taken at Mac users, they are the ones with the money, with all kinds of juicy information to be found on their "uncrackable" systems. In the upcoming months, we're probably going to find out just how secure these systems really are. It's their turn.

Finally, a short education to those who are unaware of what "remote code execution" is. It's not a virus. It's perhaps the most dangerous thing that can happen to any computer user. Once it's planted on your computer, the one(s) responsible for the attack can pretty much do what they please with your computer. Think about that for a minute, pretty much do as they please. The skill level of the attacker and the users security posture at the time of attack are both critical to the outcome of the attack.

So with that in mind, make sure you have a decent AV, along with a separate malware scanner (such as Malwarebytes), and keep them both updated. Practice safe computing, don't open unsolicited emails, don't click onto "pop up" ads, don't go to sites that promises things that are "too good to be true" (spam leads to this). If you have Firefox, the No Script add on is your best friend, as well as Adblock Plus. Use them both. Whatever browser you use, use the latest version, and keep your entire computer updated. Do a full manual scan with your AV once weekly, and another with a separate malware scanner at least once monthly. These are the simple things you can do to stay safe as you can. It is my hope that this post makes everyone a little more aware of the dangers of the net, and no matter the brand you choose, you're never 100% safe. Don't let anyone tell you otherwise.

 

[Veedaz]

Apple ? Who ? ......... Oh Mac :lol: :lol: :lol: them over priced under powered things ... what a shame

 

[roban]

Good advice catilley. One should not depend on just one line of defense. In these days of Broadband the user has a responsibility to defend their own domain and few are willing to take this seriously and that is the hacker's delight. How many times I have provided the tools to my clients and how little they use them.

Why do I rant? My client's laziness is my mortgage payment

 

[Fire cat]

Proof that Mac and Apple is just about the good looks.
This ain't good for those paranoid liars!

Good advice Cat.

Cheers,
Fire Cat

 

[patrickt]

I'm sorry but anything the government warns me about gets discounted. Whether it's swine flu or Y2K it's almost always exaggerated or simply bogus. As I recall, it was Homeland Security that said I should be concerned about conservative veterans.

So, excuse me if I don't get my knickers in a twist.

 

[catilley1092]

Good advice catilley. One should not depend on just one line of defense. In these days of Broadband the user has a responsibility to defend their own domain and few are willing to take this seriously and that is the hacker's delight. How many times I have provided the tools to my clients and how little they use them.

Why do I rant? My client's laziness is my mortgage payment

roban, it would be my guess that you live in a fine home, in a nice neighborhood. In your business, the work can't be exported, and it would be my guess that a fairly decent percentage of your work could have been avoided, if only your clients took the time to keep their security posture up to date. It would be safe to say that you have a lifetime job, just as Veedaz has. I wish the very best for you and your business venture.
Later,
Cat