1 July, 2008

Summary:

§  These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), both client and server versions; as well as Safari 3.x for OS X 10.4.x

§  How an attacker exploits them: Multiple vectors of attack, including enticing one of your users into visiting a malicious web site

§  Impact: Various results; in the worst case, attacker executes code on your user's computer, potentially gaining control of your user's computer

§  What to do: OS X administrators should download, test and install Security Update 2008-004, Mac OS X 10.5.4, and Safari 3.1.2

Exposure:

Late yesterday, Apple released two security updates to fix vulnerabilities in both OS X and Safari for Mac. The OS X security update fixes around 25 (number based on CVE-IDs) security issues in software packages that ship as part of OS X, including Ruby, Tomcat, and Webkit. Some of these vulnerabilities allow attackers to execute code on your OS X machines, so we rate this update Critical. Apply it as soon as you can. Three of the fixed vulnerabilities include:

§  WebKit code execution vulnerability. WebKit is an OS X framework used to help display the various types of content found in web pages. According to Apple, Webkit suffers from a memory corruption vulnerability involving the way it processes JavaScript arrays. By luring one of your users to a maliciously crafted web page, an attacker could exploit this flaw to execute code on your user's computer, with that user's privileges.

§  SMB File Server buffer overflow vulnerability. The SMB File Server allows OS X to share files with Windows computers. SMB File Server suffers from a heap buffer overflow vulnerability involving the way it handles SMB packets. By sending specially crafted packets to an SMB File Server, or by enticing one of your users to connect to a malicious SMB File Server, an attacker can exploit this flaw to execute code on that user's computer.

§  Launch Services code execution vulnerability. Launch Services is an OS X application programming interface (API) that allows a running application to open other applications, or their documents. Launch Services suffers from something called a race condition vulnerability, having to do with its validation of symbolic links. By luring one of your users to a specially created web site, an attacker can exploit this flaw to execute code on that user's computer, with that user's privileges. However, this attack can only succeed if your users has enabled the "Open 'safe' files" preference in Safari.

Apple's alert includes many more flaws, including other code execution flaws in addition to those described above. The remaining vulnerabilities also include Denial of Service (DoS) flaws, elevation of privilege flaws, and spoofing vulnerabilities, plus others. Components patched by this security update include:

Please refer to Apple's OS X alert for more details.

Apple also released a small security update for Safari 3.x. This update fixes one serious vulnerability that only affects Tiger (OS X 10.4.x) users. This flaw is identical to the Webkit vulnerability described above. For some reason, though, Tiger users must also apply this Safari update in order to completely patch the vulnerability.

Solution Path:

Apple has released OS X Security Update 2008-004, OS X 10.5.4, and Safari 3.1.2 to fix all these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

§  Security Update 2008-004 (PPC)

§  Security Update 2008-004 (Intel)

§  Security Update 2008-004 Server (PPC)

§  Security Update 2008-004 Server (Intel)

§  Security Update OS X 10.5.4

§  Security Update OS X 10.5.4 Combo Update

§  Security Update OS X Server 10.5.4

§  Security Update OS X Server 10.5.4 Combo Update

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X and Safari, we recommend that you let OS X's Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these issues.

References:

§  Apple's June OS X Advisory

§  Apple's June Safari Advisory

Steve Jobs has just announced the new iPhone 3G at WWDC 2008. Apple’s new phone features fast 3G wireless technology, GPS mapping, support for enterprise features like Microsoft Exchange, and the new App Store.

Apple claims its 3G speeds trounce the competition, with pageloads 36% faster than the N95 and Treo 750 — and of course it completely trounces the old EDGE data. Battery life isn’t getting put out to pasture though, with 300 hours of standby, 8-10 hours of 2G talk, 5 hours of 3G talk, 7 hours of video and 24 hours of audio.

iPhone 3G will be released on July 11th in Australia, Austria, Belgium, Canada, Denmark, Finland, France, Germany, Hong Kong, Ireland, Italy, Japan, Mexico, Netherlands, New Zealand, Norway, Portugal, Spain, Sweden, Switzerland, UK and the US.

The price is $199 for 8G and $299 for the 16GB model.

Read the full article here.

You will be amazed to know that our most lovable browser Mozilla Firefox's Version 3(or Gran Paradiso, its development name) is coming in few days(as told by Mozilla Engineers). So just hold your breath as the new Firefox comes. Its features are really astonishing. Let me tell you some of its features:

• One-Click Bookmarking
• Phishing and Malware Protection
• Site ID info
• Built-in spell checking
• Session Restore and Full Zoom
• And most shocking one, It has 5,000 add-ons to customize browsing experience
• And finally it has 14,000 improvements
• I hope these features are sufficient....lol

Read the full article here.

You will be amazed to know that our most lovable browser Mozilla Firefox's Version 3(or Gran Paradiso, its development name) is coming in few days(as told by Mozilla Engineers). So just hold your breath as the new Firefox comes. Its features are really astonishing. Let me tell you some of its features:

• One-Click Bookmarking
• Phishing and Malware Protection
• Site ID info
• Built-in spell checking
• Session Restore and Full Zoom
• And most shocking one, It has 5,000 add-ons to customize browsing experience
• And finally it has 14,000 improvements
• I hope these features are sufficient....lol

Do you know that Firefox has decided to create a GUINNESS WORLD RECORD by Most Software Downloaded in 24 hours. So wanna PLEDGE FOR IT. 
                                           

Click on the pic to go to the Spread Firefox page, even you can Click Here also.

If you wanna give it a try then here is the link to its download page(this is the link for Firefox 3 Release Candidate 2), Click Here, but before downloading it please read this. And do you know it comes in 45 different languages. Isn't it amazing! If you are new to Mozilla Firefox, then you can go for the stable version, i.e., 2.0.0.14. Click Here.

Update:

Firefox 3 is going to be released on 17th June 2008. So just few days to go :-D.

Source: Mozilla Dev News

Further Reading:

• Firefox 3, on Wikipedia
• Firefox 3, on Mozilla Wiki
• A review by Information Week
• Another review at Wired.com
• A detailed review at Mozilla Links
• Some screenshots at Life Hacker

Do you know that on an average nearly 25% users are using Internet Explorer as their browser. So I thought to tell you a method to tweak Internet Explorer. Here I begin:

Read the full article here.

28 May, 2008

Summary:

• These vulnerabilities affect: Adobe Flash Player 9.0.124.0 and earlier on Windows (potentially affects OS X, Unix, and Linux as well)
• How an attacker exploits them: By enticing one of your users into playing a maliciously crafted Flash (.SWF) file
• Impact: An attacker could execute code on the victim's computer, and take control of it
• What to do: Adobe hasn't released a patch yet; see the solution section below for workarounds

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash, often formatted as a Shockwave (.SWF) file. Adobe's Flash Player ships by default with many web browsers, including Internet Explorer (IE). It also runs on many operating systems.

Late yesterday, Symantec, SANS Internet Storm Center Handler's Diary [ 1 / 2 / 3 ], and SecurityFocus all warned of a serious zero day Flash Player vulnerability which they have found attackers exploiting in the wild. As of this writing, researchers do not know the technical details about this new vulnerability; they do know, however, that if one of your users downloads and plays a specially crafted Shockwave Flash (.SWF) file, an attacker could exploit the unpatched flaw to execute code on that user's computer, with that user's privileges. Since most Windows administrators grant their users local administrative privileges, an attacker could potentially exploit these flaws to gain complete control of a victim's computer. The malicious .SWF file could be hosted on a web site, sent via an HTML e-mail, or delivered in other ways via applications that embed Flash.

According to the last update from SecurityFocus, attackers are exploiting this zero day vulnerability in great numbers. They warn that attackers have injected this malicious .SWF exploit into approximately 20,000 legitimate web sites, using web-based attack techniques like those we recently described in our recent Radio Free Security podcast.

On the other hand, this morning Symantec updated their Threatcon information claiming this Flash Player vulnerability may not be as new as they originally thought. Their latest technical analysis reveals that the flaw appears similar to one Adobe has already patched. Even with that, Symantec has still observed this new exploit affecting fully patched versions of Adobe Flash Player. So, either this is a true zero day variant of the original flaw, or Adobe's patch is not working as reliably as it should. Regardless, if you allow Adobe Flash Player in your network, you should remain concerned about this new exploit and follow the workarounds suggested below.

Solution Path:

Because researchers first found this vulnerability being exploited in the wild, Adobe has not had time to release a patch for Flash Player. Until they do, the following workarounds will mitigate the risk of this new exploit affecting your users:

• Internet Explorer (IE) users can set the killbit for Adobe's Flash Player. This prevents IE from playing any Flash content with the Adobe Flash Player. Bear in mind that this also prevents legitimate Flash content from playing. Refer to this Microsoft Knowledge Base article for more details on how to set a killbit. Flash Player's CLSID is BD96C556-65A3-11D0-983A-00C04FC29E36.
• Firefox users should install the NoScript extension. NoScript prevents web sites from running JavaScript, Java, Flash, or other executable web content by default. While NoScript does prevent legitimate web sites from executing scripts as well, you can easily add those trusted sites to your white list to allow them to run the content you need.
• Use a gateway device, like WatchGuard's Firebox products, to block .SWF files from entering your network. See below for more details.

For All WatchGuard Users:

Some of WatchGuard's Firebox models allow you to prevent your users from accessing Shockwave Flash files (.SWF) via the web (HTTP) or emails (SMTP, POP3). If you like, you can temporarily mitigate the risk of this vulnerability by blocking .SWF files using your Firebox's proxy services (video instructions below). Again, many web sites rely on Flash for interactive content, and blocking Flash prevents these sites from working properly. Note that many popular video streaming sites, such as YouTube and JibJab, deliver video using a Flash front end, so this technique may render many video web sites unusable. Nonetheless, with the severity of this zero day exploit, you may want to temporarily block all .SWF content until Adobe releases a patch.

If you choose to block Flash content, follow the links below for video instructions on using your Firebox proxy's content blocking features to block .SWF files by their file extensions:

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy? (Video, 2:30)
    Windows Media, 17.4MB   /    QuickTime, 11.8MB
  • How do I block files with the HTTP proxy? (Video, 2:52)
    Windows Media, 32MB   /    QuickTime, 28.6MB
  • How do I block files with the POP3 proxy? (Video, 2:35)
    Windows Media, 17.6MB   /    QuickTime, 16.5MB
  • How do I block files with the SMTP proxy? (Video, 2:18)
    Windows Media, 12.2MB   /    QuickTime, 9.1MB
  •  
• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy? (Video, 2:30)
    Windows Media, 25.2MB   /    QuickTime, 9.1MB
  • How do I block files with the HTTP proxy? (Video, 2:52)
    Windows Media, 38.2MB   /    QuickTime, 10.7MB
  • How do I block files with the POP3 proxy? (Video, 2:35)
    Windows Media, 23.2MB   /    QuickTime, 10.1MB
  • How do I block files with the SMTP proxy? (Video, 2:18)
    Windows Media, 25.6MB   /    QuickTime, 9.0MB

Status:

Adobe has not had time to release a patch yet. Apply the workarounds described above.

References:

• SANS Internet Storm Center Handler's Diary Entries:
  • Zero Day SWF Entry 1
  • Zero Day SWF Entry 2
  • Zero Day SWF Entry 3
• Symantec's SecurityFocus Advisory

Symantec's Threatcon Advisory

"Thankfully," Apple has released their Safari browser to the Windows platform. My first computer was an Apple, but I have no special place in my heart for the company or their religion. I decided I should download the browser and give it a whirl.

Safari started up pretty quick and it seems to render pages pretty fast, but thirty seconds after logging into my site I realized I already had a number of issues to try and fix in order to support this browser. My third party WYSIWYG editor was having issues (e.g. would not start). It was a JavaScript issue. I figured that would be easy to troubleshoot. Oh, wait, Safari doesn't have a standard JavaScript debugger? Wait, no DOM Inspector, either? WTF?!

Now I have spent a couple of hours trying to find documentation on how to develop using Safari and so far I am SOL. I have found plenty of documentation on how I should be able to turn on JavaScript debugging, but so far it hasn't worked. I have slapped the following two lines in just about every configuration file I can think of (per the on-line docs) and still no luck.

<key>IncludeDebugMenu</key>
<true/>

[Another jab: What is up with this ridiculous XML schema in the "plist" files?]

Hmm. Now I am pissed. So what are my first impressions? Not good! First off, Apple insisting on using its own Widget set for the UI is annoying. Second, the standard tools I would expect to find in a browser are not present or flat out do not work. Also, if you are going to put in debugging functionality, why not provide controls for turning it off and on? Why make a person edit configuration files manually in order to enable/disable features? And if you DO insist on making a person manually edit files, make sure your on-line docs are up-to-date.

To sum up: sure, the browser loads fast and renders quick, but if I can't troubleshoot my code in order to support it, or, if features found in other browsers do not work, why would I want to bother?

But itu dulu, tadi siang, iseng nyobain Safari lagi .. Udah final release cuy, download 'n install, jajal deh.  Buggy-nya ilang tuh, udah pada di fix kali yah .. langsung demen ama ni browser ... hehehe.. :D

Kesan pertama: view area-nya luas banget, mungkin karena toolbar dan statusbar-nya dibikin simple, jadi luas banget view area-nya.  Fitur font-smoothing, enak banget diliat di layar LCD, konon katanya ini si Safari kecepatan render-nya hampir sama kayak Opera, tapi wa gak ngerasa juga sih. Dari letak menubar 'n Preference, emang bener ini keturunan Gecko Engine yang di customize sama tim Apple. Here's some SS.. 

 (klik buat diperbesar)

Resource Consumption - Multi-tabs + Video streaming (YouTube)

Browser Info, Resource Consumption @Multi Tabs Idle

Hmmm.. mayan juga yach, makan CPU + Memory resourcenya, but sebanding dengan fitur-fitur yang ditawarin.  Minus point dari Safari itu, ya plugin-nya belum sebanyak kompetitornya, apa lagi buat plugin buat filter ads-nya belum ada. , I'll keep go with Safari .. :p

Download

It also doesn't like my Non-American spelt words (eg. favourite - thinks it should be spelt favorite) 

I shall blog about my day tomorrow as I have more time but now I am off to bed!

PS. After publishing this post the paragraphs have decided to work :D

Summary

This document describes the security content of Safari 3.1.1, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Products Affected

Safari 3 (Windows), Security, Safari 3.1

Safari 3.1.1

• Safari
  CVE-ID: CVE-2007-2398
  Available for: Windows XP or Vista
  Impact: A maliciously crafted website may control the contents of the address bar
  Description: A timing issue in Safari 3.1 allows a web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. This issue was addressed in Safari Beta 3.0.2, but reintroduced in Safari 3.1. This update addresses the issue by restoring the address bar contents if a request for a new web page is terminated. This issue does not affect Mac OS X systems.

• Safari
  CVE-ID: CVE-2008-1024
  Available for: Windows XP or Vista
  Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  Description: A memory corruption issue exists in Safari's file downloading. By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of file downloads. This issue does not affect Mac OS X systems.

• WebKit
  CVE-ID: CVE-2008-1025
  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista
  Impact: Visiting a malicious website may result in cross-site scripting
  Description: An issue exists in WebKi's handling of URLs containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack. This update addresses the issue through improved handling of URLs. Credit to Robert Swiecki of Google Information Security Team and David Bloom for reporting this issue.

• WebKit
  CVE-ID: CVE-2008-1026
  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista
  Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution
  Description: A heap buffer overflow exists in WebKit's handling of JavaScript regular expressions. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller for reporting these issues.

16 April, 2008

Summary:

• These vulnerabilities affect: Safari 3 for OS X (and Windows)
• How an attacker exploits them: By enticing one of your users to a malicious web page
• Impact: Numerous flaws, various results; in the worst case, an attacker could execute code on the victim's computer
• What to do: Update to Safari 3.1.1 at your earliest convenience

Exposure:

Safari is the default web browser that ships with OS X. Recently, Apple also released Safari for Windows, pushing it to Quicktime and iTunes users via Apple Software Update.

Today, Apple released an advisory describing four vulnerabilities that affect Safari, and components that ship with it. The flaws affect both the OS X and Windows versions of Safari. The worst of these vulnerabilities potentially allows attackers to execute malicious code on your Safari user's machines. If you use Safari in your network -- whether on a PC or Mac -- you should update to version 3.1.1 at your earliest convenience. Some of the fixed vulnerabilities include:

• WebKit buffer overflow vulnerability. WebKit is the web browser engine Safari uses on OS X machines. WebKit suffers from a buffer overflow vulnerability involving the way it handles JavaScript regular expressions. By luring one of your users to a malicious web page, an attacker could exploit this flaw to execute code on your user's computer with your user's privileges. Since OS X users don't have administrative privileges by default, an attacker wouldn't be able to exploit this flaw to gain complete control of their machines without significant user interaction; he could still, however, exploit this flaw to do anything the victimized user could do.

• WebKit cross-site scripting vulnerability. WebKit also suffers from a Cross-Site Scripting (XSS) vulnerability involving the way it handles URLs containing the colon character in a host name. By enticing one of your users into clicking a specially crafted link, an attacker could exploit this flaw to execute scripts on that user's computer under the context of another legitimate site which your user trusts. For a more general explanation of XSS attacks, see our article "Anatomy of a Cross-Site Scripting Attack."

Apple's alert also covers two vulnerabilities that affect the Windows version of Safari. By enticing one of your users to a malicious web site, an attacker could exploit the worst of these two flaws to execute code on that user's computer, potentially gaining control of it. However, we suspect few Windows users actually browse with Safari, so these flaws probably pose little risk to Windows users.

Solution Path:

Apple has release Safari 3.1.1 for OS X and Windows. If you use Safari in your network, you should download and install this update at your earliest convenience.

Note: You can also use Apple and OS X's Software Update utility to install Safari updates automatically.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Apple released Safari 3.1.1 to correct these issues.

References:

• Apple's Safari 3.1.1 Advisory

3 April, 2008

Summary:

• This vulnerability affects: QuickTime 7.4.x for Mac and PC (and possibly earlier versions)
• How an attacker exploits it: Multiple methods of attack; in the most common, users are enticed to download and play a malicious movie or image in QuickTime
• Impact: Various results; in the worst case, an attacker executes code on your user's computer, potentially gaining complete control of it
• What to do: If you allow QuickTime (or iTunes), upgrade to 7.4.5 -- otherwise, remove these applications from your company's computers

Exposure:

Today, Apple released an alert fixing eleven vulnerabilities in their popular media player application, QuickTime. (Current versions of iTunes also ship with QuickTime; if your users have iTunes, they most likely have QuickTime.) These applications run on Windows and Macintosh computers, and both platforms are susceptible to exploitation of these security flaws. Apple's alert specifies Vista and XP SP2 as the vulnerable versions of Windows.

The vulnerabilities relate to different processes in QuickTime. For example: How it opens a picture file, how it displays movie files, how it handles a movie's media tracks, and so on. Some of these vulnerabilities allow attackers to execute any code they choose on your OS X machines, so we rate this update Critical. If you allow QuickTime, apply the update as soon as you can. Some of the vulnerabilities fixed include:

• Multiple movie handling code execution vulnerabilities. QuickTime suffers from five vulnerabilities (mostly buffer overflow flaws) involving the way it handles opening movie files. While the vulnerabilities differ technically, they all share the same scope and impact. If an attacker can get one of your users to open a maliciously crafted movie, he could trigger any of these flaws to execute code on your user's computer, with the same privileges and permissions your user has.

• Multiple image handling code execution vulnerabilities. QuickTime suffers from three buffer overflow vulnerabilities involving the way it handles .PICT image files. Like the movie flaws above, these three vulnerabilities differ technically but share the same scope and impact. By enticing one of your users to open a maliciously crafted .PICT image in QuickTime, an attacker could exploit any of these flaws to execute code on your user's Mac, with that user's privileges.

• VR Movie buffer overflow vulnerability. Quicktime supports QuickTime Virtual Reality (VR), or QTVR image files, which are panoramic images stitched together into one special image file which QuickTime allows you to explore in simulated 3-D. Unfortunately, QuickTime suffers from a buffer overflow vulnerability involving the way it handles a specially crafted QTVR image. If an attacker lures one of your users into viewing a malicious QTVR image, he could exploit this flaw to execute code on that user's computer, with that user's privileges.

The remaining flaws in Apple's QuickTime alert include another code execution flaw in addition to those described above, and an information disclosure vulnerability. If you'd like to know more about any of these QuickTime flaws, refer to Apple's alert.

Solution Path:

Apple has released QuickTime version 7.4.5 to correct these flaws. If you allow QuickTime or iTunes in your network (or suspect that your users have installed them), we recommend that users either remove the applications or install version 7.4.5.

The latest versions of QuickTime and iTunes for Windows ship with Apple Software Update. Apple Software Update automatically detects updates such as this one for QuickTime, and then informs you, so that you can install it as soon as possible. If you choose to allow QuickTime or iTunes in your network, we recommend you set Apple Software Update to check for new updates daily and allow it to assist you in keeping your Apple software current.

Notes: Apple recently used Software Update to push Safari 3.1 onto Windows computers that did not have Safari installed. If you do not want to install Safari on your computers, be sure to uncheck the Safari 3.1 update option. Also, Apple ships QuickTime combined with iTunes by default. If you do not want iTunes, there is a standalone version of QuickTime which you can download instead.

For All Users:

These attacks rely on getting one of your users to download and open any of several different QuickTime movie or image file types. Many of these multimedia formats have legitimate business uses and should not be blocked categorically at your firewall. Unless you want to block all of the media types that QuickTime supports, you should insist that users either remove QuickTime and iTunes, or install Apple's QuickTime update as soon as possible.

Status:

Apple released QuickTime 7.4.5, which fixes this issue.

References:

• Apple's QuickTime alert
• Apple software downloads
• Apple security updates

27 March, 2008

Summary:

• This vulnerability affects: Firefox 2.0.0.x for Windows, Linux, and Macintosh
• How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
• Impact: Various results; in the worst case, attacker executes code on your user's computer, gaining complete control of it
• What to do: Upgrade to Firefox 2.0.0.13

Exposure:

Yesterday, the Mozilla Foundation released Firefox 2.0.0.13, fixing ten security vulnerabilities (based on CVE-IDs) in the popular web browser. We summarize three of the more critical vulnerabilities below:

• Memory corruption vulnerabilities (2008-015). Firefox suffers from several unspecified crash bugs, which corrupt memory. Mozilla presumes that, with enough effort, some of these memory corruption flaws could be exploited to run arbitrary code. To exploit these flaws, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute code on that user's machine, with that user's privileges. And if the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim's computer.
  Mozilla Impact rating: Critical

• JavaScript privilege elevation and code execution vulnerabilities (2008-014). Firefox suffers from various vulnerabilities involving the way it handles specially crafted JavaScript. By enticing one of your users to a web page containing malicious JavaScript, an attacker could exploit these flaws to elevate privileges, execute a Cross-Site Scripting (XSS) attack, or even execute code on your user's machine, with your user's privileges. Depending on your user's level of privilege, an attacker could exploit this flaw to gain complete control of the user's computer.
  Mozilla Impact rating: Critical

• Java socket connection vulnerability (2008-018). Mozilla's alert describes a security vulnerability that Sun has recently fixed. By enticing one of your users to a malicious web site containing specially crafted Java code, an attacker could exploit this JRE vulnerability to gain direct access to ports on your computer. Even if your firewall blocks access to those particular ports, the malicious web site's code -- which would travel over port 80 -- could locally access any port on your user's computer, bypassing your firewall policies. If you've already applied the JRE update we mentioned in our previous JRE alert, this vulnerability won't affect you; for those who haven't installed the JRE update yet, Mozilla's update patches this flaw on Firefox's side.
  Mozilla Impact rating: High

The remaining vulnerabilities include popup spoofing, information disclosure, and Cross-Site Request Forgery (CSRF) flaws. If you'd like to know more about them, check out Firefox's known issues page. However, the vulnerabilities described above should be enough to convince you to upgrade your Firefox users to the fixed version at your earliest convenience.

Solution Path:

Mozilla has updated Firefox, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 2.0.0.13 as soon as possible. Mozilla no longer supports the 1.5.x branch of Firefox; we recommend that 1.5.x users migrate to 2.0.0.13 now.

• Windows
• Linux
• Mac OS X

Note: The latest versions of Firefox 2.0 automatically inform you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that "Firefox" is checked under "Automatically check for updates." In this menu, you can configure Firefox to always download and install any update, or only to inform the user that the update exists.

For All WatchGuard Users:

Some of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 2.0.0.13, fixing these security issues.

References:

• Firefox 2.0.0.13 Release Notes
• Vulnerabilities Fixed in Firefox 2.0.0.13

Mientras que en pasadas versiones del motor WebKi, Safari no mostraba bien las tipografías en Windows, la última versión del navegador de Apple ha incluido una importante mejora: soporte para el uso de Windows GDI, o lo que es lo mismo, no más problemas con las tipografías en sistemas Windows.

Este importante soporte ha sido ensombrecido por la polémica surgida a raíz de una frase mal expresada de la licencia de uso de Safari 3.1, que parecía especificar que era ilegal usar Safari en Windows, algo inexplicable que solo excluiría casos como ejecutarlo a través de BootCamp o de un programa de virtualización. Sin embargo, en Ars Technica se pusieron en contacto con los responsables de Apple, que poco después les confirmaron que, efectivamente, la licencia contenía un error.

Fuente: www.theinquirer.es

Apple's competitors in the browser market were naturally not happy with that move, which smacked of Microsoftian bundling. (Microsoft used its operating system monopoly to push browser software; now Apple is using its dominance in music to push browser software.)

But the outcry sparked by that move was just the start. Soon there was word of a snafu in Apple's end-user license for the Windows Safari -- the fine print granted people the right to use the app only on "Apple-labeled" computers. Right: Safari for Windows was, by its own terms, illegal. (Apple has since updated the license.)

There are also some reports of the thing crashing, and now there are security flaws, too. The tech security firm Secunia says it has found two "highly critical" holes in Safari for Windows that allow untrusted Web sites to gain access to a user's system.

There are no known fixes for the holes yet, other than Secunia's advisory to refrain from browsing "untrusted Web sites" with Safari.

Not that other browsers don't suffer the same flaws, of course. But this was supposed to be the best browser in the world

A Apple nos ultimos tempos começa a mostrar a sua verdadeira face. Com sede de abocanhar mais alguns 'litros' na Web com o seu 'Fastest' navegador Safari, produziu um novo truque. No Update do Itunes (que nao é usado por pouca gente) e do QuickTime, a mesma propoe o download do navegador Safari, que segundo ela é o mais rápido e facil de usar do mercado. E como nem todos usuarios sao como eu (brincadeirinha) que sabe o que quer, bom a ver vamos, vao mesmo clicar nas duas opções...

Quem nao gostou nada Mozilla, que a julgar pelas palavras do seu CEO trata-se duma especie de jogo sujo da empresa de Jobs, um dos mais falados geeks do momento (ha que reconhece-lo).

Pois, e o Gates é que era o malandro. É pena que seja só estar lá em cima para entrar na sacanagem geral.

Nevertheless, I downloaded and installed the new Apple Safari 3.1, and to be honest, it surprised me.

Unfortunately, it hangs up the first time I tried it.

Apart from that, then it works ok and there are some characteristics that really deserve some lines:

An interesting feature is Private Browsing. When activivated Safari doesn't store Google's search we made, cookies, history, downloads and forms data.

Another feature, maybe not very useful but different, is the possibility to change the size of the text areas. I haven't seen this in other browsers.

The integrated RSS reader is quite good.

Searching text in a web page with Safari it's very easy and clean. The search results are highlighted so you can find them quickly.

There are some other features that I haven't tried yet, such as SnapBack, bookmarks handling Itunes style and the form autocomplete.

Anyway, I think that which brower is best than the other is a matter of how comfortable do you feel working with it or which is easier to use.
Personally, I use Firefox since its earlier releases, it seems to be fast, realible, it has the best tab browsing, although the memory use problem hasn't be solved yet.
All in all, Apple Safari 3.1 has some innovations over the other competitors, but i think that it's too much saying that is the best browser in the world, as Apple said.

Or maybe is beacuse of her?

18 March, 2008

Summary:

• These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), both client and server versions
• How an attacker exploits them: Multiple vectors of attack, including enticing one of your users into visiting a URL or web site
• Impact: Various results; in the worst case, attacker executes code on your user's computer, potentially gaining complete of your user's computer
• What to do: OS X administrators should download, test and install Security Update 2008-002

Exposure:

Today, Apple released a security update fixing over 95 (number based on CVE-IDs) security issues in software packages that ship as part of OS X, including Apache, Preview, and Help Viewer. Some of these vulnerabilities allow attackers to execute any code they choose on your OS X machines, so we rate this update Critical. Apply it as soon as you can. Three of the vulnerabilities fixed include:

• Multiple integer overflow vulnerabilities in AppKit. AppKit is a OS X framework that helps developers implement graphical, event-driven user interfaces. According to Apple, Appkit suffers from integer overflow vulnerabilities involving the way it parses something called a "serialized property list." By luring one of your users to a maliciously crafted web site, an attacker could exploit these flaws to execute code on your user's computer, with that user's privileges. The attacker could then leverage a separate vulnerability in AppKit -- also described in Apple's alert -- to gain system privilege, thus giving the attacker complete control of that user's Mac.

• Foundation race condition vulnerability. Foundation is an OS X component that helps Safari handle web pages and URLs. According to Apple, Foundation suffers from a complicated race condition vulnerability. If an attacker can entice one of your users into visiting a malicious web site, he could exploit this vulnerability to execute code on the user's computer, with that user's privileges. Furthermore, the attacker could then leverage other vulnerabilities described in Apple's alert to elevate privileges and gain complete control of your user's computer.

• Image Raw buffer overflow vulnerability. Image Raw is a component that allows OS X to handle the various RAW image formats that some digital cameras support. Image Raw suffers from a buffer overflow vulnerability involving the way it handles specially malformed Adobe Digital Negative (DNG) image files. By enticing one of your users into viewing a malicious image, an attacker can exploit this flaw to execute code on that user's computer. By default, the attacker would only execute code with that user's privileges. However, he could then leverage another vulnerability -- also described in Apple's alert -- to gain complete control of your user's computer.

Apple's alert includes many, many more flaws, including other code execution flaws in addition to those described above. The remaining vulnerabilities also include Denial of Service (DoS) flaws, elevation of privilege flaws, and information disclosure vulnerabilities, plus others. Components patched by this security update include:

Refer to Apple's alert for more details.

This is a huge update fixing many security vulnerabilities, some of which pose a critical security risk. If you manage OS X machines, we highly recommend you apply this update right away.

Solution Path:

Apple has released OS X Security Update 2008-002 to fix all these security issues. OS X administrators should download, test, and deploy Security Update 2008-002 as soon as they can.

• Security Update 2008-002 v1.0 (PPC)
• Security Update 2008-002 v1.0 (Universal)
• Security Update 2008-002 v1.0 (Leopard)
• Security Update 2008-002 v1.0 Server (PPC)
• Security Update 2008-002 v1.0 Server (Universal)
• Security Update 2008-002 v1.0 Server (Leopard)

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend you let OS X's Software Update utility pick the correct update for you automatically.

For All Users:

These flaws support diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple released updates to fix these issues.

References:

Apple's March OS X Advisory

18 March, 2008

Summary:

• These vulnerabilities affect: Safari 3 for OS X and Windows
• How an attacker exploits them: By enticing one of your users into visiting a malicious web site
• Impact: Various results; in the worst case, attacker executes code on your user's computer, with your user's privileges
• What to do: Install Safari 3.1

Exposure:

Today, Apple released a security update fixing thirteen security issues in Safari 3 for OS X and Windows. The worst of these vulnerabilities potentially allows attackers to execute malicious code on your Safari user's machines. If you use Safari in your network -- whether on a PC or Mac -- you should update to version 3.1 as soon as you can. Some of the fixed vulnerabilities include:

• Webkit buffer overflow vulnerability. Webkit, a component that ships with Safari, suffers from a buffer overflow vulnerability involving the way it handles JavaScript regular expressions. If an attacker can entice one of your users into visiting a malicious web site, he could exploit this vulnerability to execute code on the user's computer, with that user's privileges.

• Safari certificate spoofing vulnerability. According to Apple, Safari suffers from an unspecified SSL certificate validation vulnerability. To exploit this vulnerability, an attacker must first entice your user to a legitimate web site that has a legitimate SSL certificate, then re-direct your user to a malicious web site. The malicious web site will appear to have the same SSL certificate as the legitimate site, and thus inherit the trust you give the legitimate site. An attacker could exploit this flaw to steal your login credentials or any other information associated with the legitimate site.

• Multiple XSS vulnerabilities in Safari. Safari and some of its components (WebCore and WebKit) suffer from nine Cross-Site Scripting (XSS) vulnerabilities. Though the vulnerabilities differ technically, an attacker could exploit them in the same way, and with similar results. If an attacker can entice one of your users into clicking a malicious link, he can exploit these flaws to execute scripts on that user's computer with that user's privileges. These scripts could do anything from reading the user's cookies to gaining complete control of his PC. For a more general understanding of XSS attacks, see our article, "Anatomy of a Cross-Site Scripting Attack."

Apple's alert includes a few more flaws, including a web site spoofing vulnerability and password disclosure flaw. For more details on these flaws, refer to Apple's alert.

Solution Path:

Apple has released Safari 3.1 for OS X and Windows to correct these security vulnerabilities. Safari users should download and install version 3.1 as soon as possible.

Note: You can also use Apple and OS X's Software Update utility to install the Safari 3.1 update for you automatically.

For All Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Apple released Safari 3.1 to fix these flaws.

References:

• Apple's Safari 3.1 Advisory

Color Management is a standard technique defined by the International Color Consortium to ensure consistent color presentation for images no matter if they are displayed on paper, a computer monitor, an LCD TV set, fabric or any other media.

While image color improvement will not be as dramatic as I would like, the truth of the matter is, there will certainly be a difference. For example, when you take a picture with your digital camera (specially in RAW format), it not only saves information about the colors, but also the amount of light available, distance and other factors that may affect how an image is perceived. This details are stored in a color profile which as of Firefox 2 is just ignored.

In Firefox 3, these profiles are used to tune up the image to your display to better reproduce the original image; a must for amateur and professional photographers, clothing and fabric related e-stores, paint, food, and mostly everywhere a true representation of color is important.

Color management is turned off by default to prevent subtle color variations affecting the overall look of web sites. To enable it you must set gfx.color_management.enabled to true (via about:config) and restart Firefox.

I'm elated that Firefox 3 has added support for color management technology. Over the years I've learned to appreciate photography; mainly by reading the blogs of my good friends, Abraham Lincoln and Don Ray. Having color management feature in my web browser will greatly enhance the enjoyment of viewing color photographs.

I have plans to get my feet wet with color photographs in a couple of months when I buy myself a digital camera. Right now I'm feeding my piggy bank. :-)

Firefox 3 rocks!

11 March, 2008

Summary:

• These vulnerabilities affect: Most current versions of Microsoft Office for Windows, and in some cases for Mac (and some other Office-related programs)
• How an attacker exploits them: By enticing you to open maliciously crafted Office documents, visit a malicious web site, or click a malicious link
• Impact: An attacker can execute code, potentially gaining complete control of your computer
• What to do: Install the appropriate Office or Office related patches immediately

Exposure:

Today, Microsoft released four Critical security bulletins describing a dozen vulnerabilities found in components or programs that ship with Microsoft Office for Windows, and in some cases Office for Mac. One of the vulnerabilities also affects Microsoft Visual Studio .NET, Biztalk Server, Commerce Server, and Internet Security and Acceleration Sever. Each vulnerability affects different versions of Office to a different extent.

The dozen flaws affect different components and applications within Office, but the end result is always the same. Either by enticing one of your users to download and view a specially crafted Office document, or by luring one of your users to a malicious web page, an attacker can exploit any of these vulnerabilities to execute code on the victim's computer, usually inheriting that user's level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the victim's machine.

An attacker can exploit many of these flaws using just about any kind of Office document. While two of Microsoft's bulletins specifically mention Excel (.xls) files, one bulletin simply mentions "Office files," which could refer to any Office document type, including Word (.doc), PowerPoint (.ppt), and Publisher (.pub) documents. So, beware of all unexpected Office documents.

If you'd like to learn more about each individual flaw, drill into the "Vulnerability Details" section of the security bulletins listed below:

• MS08-014: Multiple Excel vulnerabilities. This bulletin describes seven vulnerabilities involving how Excel handles maliciously crafted Excel documents. By tricking one of your users into downloading and opening an Excel document, an attacker could exploit this flaw to execute code, potentially gaining complete control of that user's computer.

• MS08-015: Outlook mailto: URI handling vulnerability. Outlook doesn't properly handle specially crafted mailto: URIs. If an attacker can entice one of your users to click a malicious mailto: link, typically found on a web site, he can exploit this vulnerability to execute code on that user's computer, potentially gaining total control over it.

• MS08-016: Two Office remote code execution vulnerabilities. This bulletin describes two vulnerabilities involving how Office handles various maliciously crafted Office documents. By tricking one of your users into downloading and opening an Office document, an attacker could exploit this flaw to execute code, potentially gaining complete control of that user's computer.

• MS08-017: Two Office Web Component vulnerabilities. Office Web Components allow you to either publish Office spreadsheets, charts, and databases to your web site, or to view such Office content on a web site. The Web Components suffer from two memory corruption vulnerabilities. By enticing one of your users to a malicious web site, an attacker could exploit either vulnerability to execute code on that user's machine, and possibly gain control of it.

In January, Microsoft released an early advisory warning customers of a zero day vulnerability in Microsoft Excel, which attackers are currently exploiting in targeted attacks. Microsoft has confirmed that MS08-014 fixes this outstanding Excel vulnerability. Since Microsoft rates all of these bulletins as Critical, and one bulletin fixes a flaw that attackers are currently exploiting in the wild, we consider these flaws a serious risk. You should patch them immediately.

Solution Path

Microsoft has released patches for Office (and a few related programs) to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

MS08-014:

Excel update for:

• Office 2000 w/SP3 (KB946979)
• Office XP w/SP3 (KB946976)
• Office 2003 w/SP2 (KB943985)
  • Excel Viewer 2003 (KB943889)
• 2007 Microsoft Office System (KB946974)
• Office 2004 for Mac (KB949357)
• Office 2008 for Mac (KB948057)
• Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats (KB947801)

MS08-015:

Outlook update for:

• Office 2000 w/SP3 (KB946986)
• Office XP w/SP3 (KB946985)
• Office 2003 (KB945432)
• 2007 Microsoft Office System (KB946983)

MS08-016:

• Office 2000 w/SP3 (KB947361)
• Office XP w/SP3 (KB947866)
• Office 2003 w/SP2 (KB947355)
  • Excel Viewer 2003 (KB947355)
• Office 2004 for Mac (KB949357)

MS08-017:

Office Web Components update for:

• Office 2000 w/SP3 (KB931660)
• Office XP w/SP3 (KB932031)
• Visual Studio .NET 2002 (KB933367)
• Visual Studio .NET 2003 (KB933369)
• Biztalk Server 2000 (KB939714)
• Biztalk Server 2002 (KB939714)
• Commerce Server 2000 (KB941305)
• Internet Security and Acceleration Server 2000 (KB948257)

For All WatchGuard Users:

Attackers exploit some of these vulnerabilities by enticing your users into downloading and viewing various Office documents. You can configure some of WatchGuard's Firebox models to block all Office documents. However, most organizations need to allow Office documents in order to conduct business, and blocking them could bring your business to a halt. Furthermore, the remaining attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS08-014
• Microsoft Security Bulletin MS08-015
• Microsoft Security Bulletin MS08-016
• Microsoft Security Bulletin MS08-017

Apparently, Apple is lagging behind what they need to do to protect their customers. PayPal recommends at this point to use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera. Basically, anything but Safari.

Safari is the default browser on Apple’s Macintosh computers and the iPhone, but it is also available for the PC. Both Firefox and Opera run on the Mac.

Unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites. Another problem is Safari’s lack of support for another anti-phishing technology, called Extended Validation (EV) certificates. This is a secure Web browsing technology that turns the address bar green when the browser is visiting a legitimate Web site.

When it comes to fighting phishing Safari has got nothing in terms of security support, only SSL (Secure Sockets Layer encryption) - that’s it! An emerging technology, EV certificates are already supported in Internet Explorer 7, and they’ve been used on PayPal’s Web site for more than a year now. When IE 7 visits PayPal, the browser’s address bar turns green - a sign that the site is legitimate. Upcoming versions of Firefox and Opera are expected to support the technology.

12 February, 2008

Summary:

• These vulnerabilities affect: Many current versions of Microsoft Office for Windows (MS08-013 affects OS X, too) and Microsoft Works and Works Suite
• How an attacker exploits them: By enticing you to open maliciously crafted Office documents
• Impact: An attacker can execute code, potentially gaining complete control of your computer
• What to do: Install the appropriate Office or Works patches immediately.

Exposure:

Today, Microsoft released four security bulletins describing seven vulnerabilities found in components or pro