Skip to content

Posts tagged ‘Safari’

19
Nov

Apple Releases Safari 5.0.3 and 4.1.3

Safari updates 5.0.3 and 4.1.3 (for both Mac OS X and Windows) have been released to patch a number of WebKit vulnerabilities, some of which can lead to arbitrary remote code execution.

Fire up your Software Update! Hit the jump for full details of the vulnerabilities fixed.

Read moreRead more

8
Nov

Clever Full-Site Tracking with XSS-Track

Cross-site Scripting (or XSS) is a common web application vulnerability with varying levels of severity. Generally the capabilities of a XSS are limited to the locations of vulnerable inputs and outputs, and crafting complex XSS payloads can be a time-consuming process.

XSS-Track (cached) helps simplify cross-site scripting by allowing the attacker to silently track the user across the entire site, using a single embedded XSS. It does this by cleverly creating a full-window invisible iFrame, and maintaining control of that window as the user browses the site. This also allows the attacker to look for valuable pieces of information, such as passwords or credit card numbers.

Combining XSS-Track with the older XSS-Shell script, which turns the browser into a zombie of sorts, could give an attacker a significant amount of power over infected sites and their users.

Firefox users may want to consider using the NoScript extension to protect themselves from unknowingly running malicious scripts. Despite having some limited XSS protection, and a JavaScript Blacklist extension, Safari unfortunately does not afford nearly the same protection as the whitelist-style Firefox+NoScript combination. If someone releases a NoScript-style JS Whitelist for Safari then it’ll be a big step forward.

19
Oct

Persistent Tracking using Supercookies and Evercookies

Normal websites use cookies to keep track of their visitors, either to remember that they are logged in, track statistics, or a number of other purposes. Sites can usually only track users while they are browsing that actual site (apart from Google who tracks you more or less wherever you go), however the past few years have revealed more and more ways web users can be tracked.

The concept of supercookies and ubercookies is not entirely new, but has been refined recently to turn them into digital cockroaches – very hard to permanently get rid of. Supercookies are basically an amalgamation of different software features that can be used to create a uniquely identifying token, usually one that is hard or too convoluted to delete. Now that HTML5 is becoming more widespread, there are even more options than before.

Modern supercookies comprise a number (or all) of the following:

  • Standard HTTP Cookies
  • Local Shared Objects (Flash Cookies)
  • Silverlight Isolated Storage
  • Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
  • Storing cookies in Web History
  • Storing cookies in HTTP ETags
  • Storing cookies in Web cache
  • window.name caching
  • Internet Explorer userData storage
  • HTML5 Session Storage
  • HTML5 Local Storage
  • HTML5 Global Storage
  • HTML5 Database Storage via SQLite

Samy Kamkar recently released Evercookie, a JavaScript API for creating extremely persistent browser cookies. The list above is what is what Evercookie uses to create them. If websites were to start using these techniques, they would be able to uniquely identify you (as a user, not a person) each time you visited, even if you deleted your cookies, cleared your cache, and removed your history (or used a private browsing feature). Due to the use of shared objects, such as Flash, some cookies are persistent even across different browsers!

Ultimately, I wouldn’t panic and stop surfing the web just yet, but this goes to show how the evolution of the browser (and countless plugins that now go with it) is having an effect on privacy and security (which can’t quite keep up the pace set by innovation). Dominic White describes how to delete the Evercookie when using Safari on OSX. Others have written about how to do the same on Firefox and Chrome. One reddit user has created a pseudo lockdown-script which improves the security and privacy of Firefox by making some configuration changes (eg. disabling prefetching, geolocation, caching, etc).

This post by Christopher Soghoian provides a good argument for why privacy (and security, I would add) should be adopted in web browsers by default, instead of letting users fend for themselves. Some browsers are making an effort by adding features such as private browsing, cross-site scripting protection, and Google SafeSearch (although this impacts privacy by sending Google every URL you browse to), however all too often browser plugins and add-ons are given too many privileges.

Browser security and user awareness are becoming more important than ever as traditional programs are phased out and replaced by web applications. Unfortunately both of these are still lagging a bit behind.

8
Sep

Safari 5.0.2 Update Fixes WebKit Bugs

Apple has released Safari 5.0.2 and 4.1.2 updates for Mac OS X and Windows which fix issues in both Safari and WebKit (the browser’s rendering engine).

The first issue, which only affects Safari on Windows systems, may lead to code execution if the user attempts to reveal the location of a downloaded file. The other two vulnerabilities include an input validation issue in WebKit’s handling of floating point data types, and a use-after-free issue in WebKit’s handling of elements with run-in styling. Both of these could be used to perform arbitrary code execution.

These two updates should be available in Software Update.

Hit the jump for Apple’s full patch info.

Read moreRead more

3
Aug

JailbreakMe and the PDF Exploit

[Update] JailbreakMe 3.0 for iOS 4.3.3 is out!

JailbreakMe.com by comex (et al.) now provides an easy way of remotely jailbreaking the iPhone, iPad and iPod – including those running iOS up to 4.0.1.

The technique works thanks to a specially-crafted PDF document which exploits a vulnerability in the font engine library (possibly libfreetype) used by Mobile Safari. Another local privilege escalation exploit (possibly in IOKit) is then used to gain root access on the device, allowing for the jailbreak to take place.

Depending on the device used to visit jailbreakme.com, the site will deliver one of its existing payloads, to perform the initial exploit. During the jailbreak it will download an additional 3.7MB bin file.

Although this may seem like a great ‘feature’ to potential jailbreakers, users should be aware that a severe underlying flaw exists which allows this remote jailbreaking to take place. Until Apple patches this, iPhone users should beware of visiting untrusted sites, as this same exploit could potentially be modified to carry out attacks on legitimate non-jailbroken iPhones.

Here’s a pic of Charlie Miller jailbreaking Apple Stores for fun and… well, just fun really. Here’s a video of someone doing the same.

[Update 4/8/10] ultrasn0w update brings iPhone 4 carrier unlock.

[Update 11/8/10] iOS 4.0.2/3.2.2 update patches these two vulnerabilities.

[Update 12/8/10] comex has released the source code for the jailbreak exploit.

22
Jul

Safari AutoFill Information Disclosure (with PoC)

Thanks to Safari’s nifty AutoFill feature, it has long been susceptible to an information disclosure vulnerability which could allow an malicious web page to extract various details stored in your personal vCard in Address Book.

This was highlighted a while back, and today re-emphasized by Jeremiah Grossman with a proof-of-concept attack.

The issue exists due to the way that Safari tries (by default) to auto-populate some of your details, including name, address, telephone number, etc, when you fill out forms. This can only happen if you have ‘AutoFill web forms’ enabled in Safari’s preferences, as shown in the screenshot below:

Uncheck these boxes to prevent this attack… but note that you’ll have to type your own info in afterwards! It’s not a high-risk vulnerability, but if you’re concerned about your privacy whilst browsing and in general, do what I do and don’t actually set an empty card as your personal card in Address Book. You can do this by creating a new card (enter some dummy info if you want), selecting it, and then choosing “Make this my card” from the Card menu.

Apple’s been notified of the issue, however as this is a ‘feature’ and not a bug, it’ll be interesting to see whether they’ll actually choose to do anything about it.

css.php
Weboy
WordPress Themes