Mar 27, 2008

Nice Safari for Windows EULA mistake

I really can't stand this new auto-install mentality of software developers anymore. It seems any application you install has some sort of online auto-update feature. This is a perfect example of how dangerous it can be. At least we used to have the choice of installing a vulnerable product. Now it can happen even without our knowledge.

The article goes on to say how you aren't in any legal danger by installing Safari on your PC. It's obviously a mistake from Apple. The EULA for a Windows product says that you can't install it on a non-Apple machine. That is just not possible. Jonathan Kramer, a lawyer for the Kramer Telecom Law Firm, says "You can't enforce a term that's impossible."

Safari 3.1 For Windows Violates Its Own EULA, Vulnerable To Hacks

recoiledsnake writes
"The new Safari 3.1 for Windows has been hit with two 'highly critical'(as rated by Secunia) vulnerabilities that can result in execution of arbitrary code. The first is due to an improper handling of the buffer for long filenames of files being downloaded, and the second can result in successful spoofing of websites and phishing. This comes close on the heels of criticism of Apple for offering Safari as a update for approximately 500 million users of iTunes on Windows by default, and reports of crashes. There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites."

Further, Wormfan writes
"The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs."

Mar 24, 2008

Trend Micro gets hacked

Of course it involves porn :/

Mass Hack Attack

Posted by Laureli Mallek Wed, 19 Mar 2008 17:04:00 GMT

As Cnet and ITNews reported, Trend Micro got hacked last week. It was later discovered that users who visited the site got lucky in a big way: “We now know that the redirect on the site was broken code,” Mr Sweeny, Trend Micro’s spokesperson told ITnews. “It didn’t work properly and didn’t infect anybody.”

Additionally ITNews reported that a different wave of infection has formed, and it involves working code. This second mass attack is different, since it attempts to trick users into manually downloading an infectious codec.

The difference is linked with the modes of assault, ASP versus phpBB, AvertLabs explains. ASP attacks tend to focus on exploits that manipulate vulnerabilities in browsers or other software. The phpBB attacks use social engineering by exploiting the cognitive biases of users. I give the latter approach more points for interaction and creativity to manipulate users. Those points (sadly) get negated by the terminal result of those efforts.

Maybe the 200,000 users who went for the faux-porn offer (enough that they tried to download the player) should remember if the prize is too big, its probably not worth th download.

Mar 22, 2008

Microsoft Releases Windows Vista Service Pack 1

Microsoft Releases Windows Vista Service Pack 1

added March 19, 2008 at 04:53 pm

Microsoft has released Windows Vista Service Pack 1. This Service
Pack provides updates to increase reliability, performance,
compatibility, and security.

US-CERT encourages users review the following Microsoft articles:

Mar 20, 2008

Patch your Macs!

Apple patches a pile of flaws
Published: 2008-03-19

Apple also updated its Safari Web browser on Tuesday, correcting 13 issues that affect the application running on the Mac OS X and Windows operating system, according to the company's advisory. Many of the flaws manifest as cross-site scripting issues, but at least one vulnerability could allow remote code execution. More information about the patches can be found on Apple's security site.

Consumer technology company Apple released two updates on Tuesday to fix more than a hundred flaws in its Mac OS X operating system, the OS's open-source components and the company's Safari Web browser.

The software patch for the Mac OS X closes at least 95 security holes in various parts of the operating system and the system's open-source components, though many of the flaws do not affect the latest version of the operating system, Mac OS X 10.5 "Leopard". Applications with a high number of patches include the Apache Web server (10 issues), the Clam AV antivirus scanner (19 issues), PHP Web software (10 issues), and the X11 graphics library (14 issues), the company said in its advisory.

The updates are the second time this year that the company has fixed vulnerabilities in its operating system. Apple has also patched its multimedia platform, QuickTime, and updated the iPhone earlier this year.

More information about the patches can be found on Apple's security site.

If you have tips or insights on this topic, please contact SecurityFocus.

Mar 6, 2008

Paypal doesn't like Safari

PayPal to Safari users: 'Ditch it'

By Jeff Smykil | Published: February 29, 2008 - 10:30AM CT

While current browser share estimates for Apple's Safari web browser hover somewhere in the 4.5 percent range, Safari is attracting some unwanted attention from PayPal, the eBay-owned payment company. PayPal is urging its users to ditch Safari and instead use alternative browsers such as Internet Explorer 7, IE 8, Firefox 2, Firefox 3, or even Opera.

The reason for the warning is Safari's lack of anti-phishing technology. Currently the Apple browser does not alert users to sites that could be phishing for your info, and it lacks support for Extended Validation. PayPal is, of course, a popular site among phishers in their neverending search for personal information, user IDs, and passwords.

While it's not entirely fair singling out Safari (other Mac browsers like Camino also also lack this support), it is perhaps at least a helpful reminder of the threat. Embarrassingly enough, (what don't I keep from you folks?) I have fallen for a PayPal-related phishing scam. It was early in the morning and I realized my error as soon as I hit enter; nonetheless, there was the possibility that the phishers got my login information. At least I was lucky enough to realize I screwed up and was able to change my login information on that, and other sites, right away.

I use Camino as my full-time browser, so Safari didn't fail me, but it would have. As annoying as I sometimes find the antiphishing features at work where I use a PC, the small annoyance would have saved me an even larger one in the end.