Apple Computer Inc. issued an update on Friday to fix a reported security hole in its Safari Web Browser. The venerability, which was classified as "Extremely Critical" by security firm Secunia, allowed the execution of malicious code on the users computer.
"Apple takes security very seriously and works quickly to address potential threats as we learn of them — in this case, before there was any actual risk to our customers," said Philip Schiller, Apple's senior vice president of Worldwide Product Marketing, in a statement. "While no operating system can be completely immune from all security issues, Mac OS X's UNIX-based architecture has so far turned out to be much better than most."
The vulnerability, which has been confirmed using Safari 1.2.1 (v125.1) and Internet Explorer 5.2, made it "possible to place arbitrary files in a known location, including script files, on a user's system if the Safari browser has been configured to ("Open "safe" files after download") (default behavior) by asking a user to download a ".dmg" (disk image) file," according to Secunia's advisory.
While acknowledging the vulnerability, industry security analysts felt that people would not be at high-risk because exploit writers typically focus on writing such code for the higher-profile Windows-based computers.
"It seems to be that people just don't write exploits for the Mac because they're not as popular and they [the exploit writers] don't get much bang for the buck," Bruce Schneier, CTO of Counterpane Internet Security Inc., told MacCentral. "Historically these aren't that big of a deal, but that could change."
Security Update 2004-05-24 version 1.0 is available via the Software Update control panel.
Source: MacCentral
I stick my tong out at all those people that says Apple does not act fast for security updates. Those who run OS X, and actually use the Software Update feature, know that Apple release security updates when they are needed. I prefer the "when needed" philosophy over the "once a month" approach that Windows has been using lately (with the exception of the holiday season, of course).
Originally posted at Breaking Windows.
Article comments
1 - Michael Croft
Some of the variant exploits still work. I recommend Unsanity's freeware Paranoid Android haxie. which catches them.
2 - Ken Edwards
yes indeed. the telnet exploit still exists. John Gruber suggested using RCDefaultApp.
3 - Jim Carruthers
I just ran Software Update and it offered to update my iPod stuff, which I don't own. I've already patched this exploit myself, but Apple has done dick.
I've not seen any update to correct this exploit.
4 - Jim Carruthers
While I think about it, the problem ain't in Safari, it's in the WebKit, which affects all apps which use it, so all browsers, RSS readers, etc.
The fix in the meantime is to disable the script functions of help: disk: and and so on.
5 - Michael Croft
go with paranoid android, all. They have a whitepaper that explains why their approach is best. It catches any arbitrary protocol that is acting dodgy.
Jim, i don't know why you don't see Security Update 5-24-2004. I do, and it fixes the well-known version of this issue. You might want to check again.
6 - Mac Diva
Typo tease: You don't really' mean 'venerability' in paragraph one, Michael.
I'll use the patch, just like I used last week's. But, the problems I've been having go beyond this. Safari has been continually crashing. In addition, graphics I post to my blogs while using Safari look misplaced in Internet Explorer. Then there is the garble at the bottom of the page about 20 percent of the time when looking at sites using Safari. In fact, if a page is prepared using Classic, it barely appears in Safari at all. As much as I like the speed of Safari, I still find it far from perfect.
7 - Ken Edwards
Mac Diva - I have never heard of those Safari problems!
8 - Mac Diva
I can show you one of them, now. Vist one of my blog friend's site using Safari. Let me know what you see.
She would appreciate being able to fix this, though she will upgrade to OS X as soon as she can.
I will post a photo example when I next look at my blogs in IE.
For the record, I'm using Safari in Jaguar.
9 - Ken Edwards
that looks like a lot of blue. a lot of LOUD blue.
much different in IE.
10 - Mac Diva
There should be content where the big blue expanse is, Ken. Writing, photos, etc. But, there isn't.
Another example. Scroll to the bottom of the news story on this page and tell me what you see.
Note: I don't mean only Ken. Anyone should feel free to help us figure this out.
11 - Michael Croft
MD:--"typo tease: You don't really' mean 'venerability' in paragraph one, Michael."
Erm, I didn't mean anything. Ken wrote this.
RE: your friend's blog.
Remove the unmatched <ul> tag from line 52 (in the generated code) of the sidebar and then Safari doesn't die.
12 - Michael Croft
Also, I looked at the other site, and it's poorly written browser-detection code. If you have the debug menu on, tell that page your user agent is Windows MSIE 6.0 and it all works.
Well written brower detection code tests for features and hides non-working pieces from them.
Poorly written browser detection code tests for browser-names and makes assumptions on the basis of them.
http://www.oregonlive.com/dhtml/hnavbar_class/scripts/hGlobal.js tests for navigator.appName, which is the bad way. It will also break for things like Konqueror, which (IIRC) doesn't return navigator.appName, since it is not (again, IIRC) in the DOM in the standards documents.
This is the menubar control code for the top.
13 - Jim Carruthers
For some reason, the Security Update isn't showing up in my Software Update (I probably did something stupid like click disregard, or my iBook has been taken over by my evil twin). However, I downloaded the standalone patch from Apple. I'd already disabled help://
Which while I think of it, is there an advantage to disabling or deleting the Help Viewer since I've never found it useful and it is slow as hell.
14 - Ken Edwards
"venerability" was penned by the folks at MacCentral, not me.
Yea, I figured that out :P
Changing my Safari User Agent things do work, thanks Michael.