Microsoft Identified An Apple Bug

[markwolfe Veteran]

Source: eFlux Media

Microsoft Corp. just issued a heads-up to its clients concerning the use of Apple Inc.?s Safari Web browser after several reports were presented about the occurrence of a rather dangerous system intrusion.

Apparently, a flaw found in Apple?s browser, known as the Safari bug, permits attackers to run unauthorized software on a victim?s computer and fill its desktop with potentially malicious executable files. The intrusion is also known as carpet bombing and the dangerous executables appear to users as normal Windows executables.

The flaw can lead to the complications presented earlier only combined with an unresolved bug in Internet Explorer. The IE bug has been reported to Microsoft more than a year ago and the connection with Apple?s flaw was discovered just last week.

Both the Safari and IE bugs "are moderate vulnerabilities that, combined, produce a critical flaw, which allows remote code execution," security researcher Aviv Raff told PCWorld.

Microsoft considers this to be a real threat to its users and issued a full security advisory three days ago, where it explained the vulnerability of the system and recommended all Windows users running the Safari browser to restrict its use until a safer version will be released by its developers or by Apple?s.

Apple already patched more than 17 vulnerabilities for the Windows Safari version and, surely, measures for identifying the mechanism?s full process and removing the bug will be taken as soon as possible.

According to Microsoft?s reports, the flaw affects all versions of Windows XP and Vista.

So, it seems that an Apple Safari bug can be used with an IE bug to cause a huge problem, if I read this right...

[The Teej]

"...and recommended all Windows users running the Safari browser to restrict its use until a safer version will be released by its developers or by Apple?s."

I lol'd.

[Knife Party]

Who uses that crap anyway on windows? everyone know OSX apps do not belong on windows.......

[Imran Hussain]

ouch! for Apple fanboys :p

[markwolfe Veteran]

Who uses that crap anyway on windows? everyone know OSX apps do not belong on windows.......

Oh... I am thinking some smaller web developers who want to check rendering in Safari, but haven't purchased an Apple PC.

Something along those lines?

ouch! for Apple fanboys :p

... combined with an unresolved bug in Internet Explorer. The IE bug has been reported to Microsoft more than a year ago

ouch for the Microsoft fanboys, too. ;)

[John S. Veteran]

Who uses that crap anyway on windows? everyone know OSX apps do not belong on windows.......

I currently am since I'm having to use windows atm. :p

[Knife Party]

''Oh... I am thinking some smaller web developers who want to check rendering in Safari, but haven't purchased an Apple PC.'' -> other than that, it shouldn't even be on the windows platform, i simply can't stand its cheapness

[CelticWhisper]

I normally use Firefox exclusively but I've been meaning to give Safari-Win32 a shot. I might hold off, though, now that this has surfaced. Safari's a nice enough browser on OSX but I'm always up for cross-platform testing.

Any word on when a fix is due out?

[Imran Hussain]

ouch for the Microsoft fanboys, too. ;)

I don't get surprised anymore when bugs are identified in IE :p

[majortom1981]

I refuse to use safari since its still being shoved down my throat. Every time quicktime wants to be updated by default it selects safri to install.

[majortom1981]

I refuse to use safari since its still being shoved down my throat. Every time quicktime wants to be updated by default it selects safri to install.

Why is it all sorts of lawsuits get brought up against microsoft for doing this but nobody says anything about apple doing it.

[markwolfe Veteran]

...

Why is it all sorts of lawsuits get brought up against microsoft for doing this but nobody says anything about apple doing it.

You are perfectly entitled to sue Apple for this, if you like. Maybe you can consult a lawyer specializing in this area of law, and see about starting a class-action lawsuit.

The lawyer can either get the ball rolling (especially if he sees fame and fortune in it!), or explain why it would not make a good valid lawsuit.

[The Teej]

Who uses that crap anyway on windows? everyone know OSX apps do not belong on windows.......

I use Safari on Vista, but it's really because I like to have the "main 4" (IE, Opera, FF, Safari) on my machine. I sometimes test websites, and this requires me to check it out on as many browsers as possible :p

[Linkinfamous]

Wasn't Apple touting how Safari was more secure than everything, designed from the ground up to be secure, etc?

They're up to 17 since the windows release? Ouch.

[zeroday]

Oh... I am thinking some smaller web developers who want to check rendering in Safari, but haven't purchased an Apple PC.

Indeed.

The IE bug has been reported to Microsoft more than a year ago and the connection with Apple?s flaw was discovered just last week.

o.O, so if they fixed this one year old bug, this problem could have been potentially avoided? I blame MS more here then apple, but apple windows safari devs need a good smack for being lazy.

[J400uk]

Why dont they concentrate on fiding bugs in there own OS and programs rather than fidning flaw in there rivals.

[Knife Party]

Why dont they concentrate on fiding bugs in there own OS and programs rather than fidning flaw in there rivals.

the fact that it maybe affects not only OSX users, but also Windows platform ones?

[CPressland]

Why dont they concentrate on fiding bugs in there own OS and programs rather than fidning flaw in there rivals.

Because that'd be a different team???? Do you think that the entire Apple Staff work on only one project at a time? And besides, there is only a handful of known bugs left in OS 10.5.3 now anyway.

This bug still exists in Internet Explorer should the right piece of Javascript be used.

Apple never said that Safari was secure, they said it was fast, I know because I only watched the WWDC07 podcast again the other day in anticipation for WWDC08

At current Firefox is probably the most secure browser, also very fast. Lets face facts, any browser is still better then Internet Explorer. I mean that thing still cant render PNGs properly and uses more then 500MB of memory at any given time.

Back on topic though I see no reason for Apple to fix this bug in a hurry. It's very minor and if you're messed about as a result of this bug then you're going on the wrong kind of websites anyway, Warez sites for example.

[rtk]

Apple never said that Safari was secure, they said it was fast, I know because I only watched the WWDC07 podcast again the other day in anticipation for WWDC08

They sure have, and continue to do so on their web page:

"Apple engineers designed Safari to be secure from day one."

It's very minor and if you're messed about as a result of this bug then you're going on the wrong kind of websites anyway, Warez sites for example.

If by minor, you mean major, I'd agree with you. Cross site vulnerabilities and infected ad networks can expose this on just about any site, not just pron or warez sites.

Edited June 3, 2008 by rtk

[thejohnnyq]

Apple does make security claims, and has refuses to acknowledge issues like the type ahead security issue.

Here is a test, that i have preformed dozens of times, and it scares the hell of someone when they realize what they are seeing. This has been replicated on Safari under windows vista, xp, 2k8, 32 and 64 os, mac and now Ipod touch.

open safari browser and type in www. and wait for the address list to show. it will show addresses that have been hit from the ip address that is hitting the Internet. i have done this on several different locations and devices, and they all do this. I have just got a ipod touch and connected to the wap device and loaded safari, typed in w , over 57 web sites listed.

The only thing that i can find is that there is traffic to and from google address.

Try it and see.

[markwolfe Veteran]

...

At current Firefox is probably the most secure browser...

I don't use Opera, but from reviewing secunia advisories, and how many known items are open, from the "big 4", I would say Opera looks the best in that respect.

o.O, so if they fixed this one year old bug, this problem could have been potentially avoided? I blame MS more here then apple, but apple windows safari devs need a good smack for being lazy.

To be honest, neither bug was very serious on its own, from what the news item states. I guess the accolades for "customer focus" will go to whichever company fixes it first.