also @ TechSpot: Leaked next generation iPhone casing photos validate multiple rumors

TechSpot

System Specs Object on Forums Doesn't Work in Safari

Discussion in 'Site Feedback and Suggestions' started by Obi-Wan Jerkobi, Jun 13, 2008.

Page 2 of 2

  1. Blind Dragon Newcomer, in training

    If the firefox exploit gets released publicly I will take the same stance, don't use it until they release a patch. But until that happens and nobody knows what this exploit is, then I suggest installing spyware blaster, put a check on the firefox tab, and select immunize from all checked.

    I use multiple browsers and really have no preference except that I don't like Internet explorer, due to the fact that it is a target for exploits. I like Safari, Opera, and Firefox and have all 3 installed on this machine that I am typing on.

    My suggestions are my opinions on playing it safe rather than being sorry later. I have seen to many exploits in the past that go public then some *****s figure out how to use them.
    Blind Dragon, Jun 23, 2008
    #21

  2. Rick TechSpot Staff

    To those of you reading, keep on using Safari or whatever it is. Your only real protection here is a firewall. Here's why...

    Wow, if this isn't just silly...

    What exactly could NOT be used in conjunction with bugs in Windows and IE? If someone has their system compromised at the shell level, then their problem clearly isn't with Safari. There are plenty of other nasty things that could be done through these things that wouldn't even begin to include Safari.

    Not using Safari in this case is like plugging up a single hole on your swiss cheese boat. It doesn't solve the underlying issue and it does not make you any safer.

    I'm sure someone has mentioned this here, but the exploit allows a file to be copied to your download folder without your permission. The second half of the exploit relies on OTHER exploits to run the file. That means your computer has to be compromised in addition to this exploit being performed before it is of any concern.

    Of course, it could be the most malicious program ever written, but if no one can execute it, then no one needs to worry. Your personal safety is up to you and whether or not your system is reasonably secure (firewall & antivirus).
    Rick, Jun 23, 2008
    #22

  3. Blind Dragon Newcomer, in training

    Ok, you all win.

    No more pointless security updates from me.

    In fact, maybe I am not ready to help in the security section yet.
    Blind Dragon, Jun 23, 2008
    #23

  4. kimsland Ex-TechSpotter

    I vote for Blind Dragon, even if he's wrong.
    If he's found to be wrong, we should change the ruling on all sites to reflect his way.

    Blind Dragon's just too damn good at the security and the web area.
    kimsland, Jun 23, 2008
    #24

  5. SNGX1275 TechSpot Special Forces

    Nobody is saying you are unqualified for the Security forum. And since you are helping an immense number of people in there it would be a shame for you to get upset and quit because a couple people disagree with your position on this.

    But here is the facts once again. The exploit for Safari has been publically released, it still isn't found 'in the wild', and no patch has been released since Apple doesn't think it is a big deal because the user can just change the default download directory and the exploit is gone. The only way this can actually mess you up is if you got some malicious executables through the exploit, then either you ran those yourself, or you got hit also by the IE/Windows problems. That seems extremely unlikely, and even at that it would still have to get past your AntiVirus.

    Now the FF one, its undisclosed, which is fine because it hasn't been publically released, but we have no idea how bad it is, or who all knows about it. But it too hasn't been found 'in the wild' yet. As of now we don't know the potential harm from it, and that should induce some caution.

    Based on this, I would expect you to also say you wouldn't recommend using Firefox until it is patched just as you did with Safari. But in essence you can patch the Safari one yourself. Then there is absolutely no harm in running Safari still.

    So the way I see it, you can change the dl directory for Safari and be safe from that problem. The Firefox issue we have no idea how harmless or harmful it could be, so if anything, Firefox should be the one you don't use until it is fixed.

    I suspect that you have some passion behind Firefox, you've used it for quite some time, and with good reason left IE5 or IE6. I feel the same about Opera. But I also suspect there is some anti Apple behind this as well because I don't see how you can take the stance you did with Safari and not here with Firefox. Your statement when you first brought this up was "Safari has been hit hard lately by the malware writers." when that really isn't true because nobody has even seen this happening. I pointed that out in my first reply after you posted.

    I'm just trying to defend a browser here that has few defenders. This is nothing personal against you, I would have posted my same replies to anyone else.
    SNGX1275, Jun 23, 2008
    #25

  6. Blind Dragon Newcomer, in training

    Nothing personal against you either- I am just stating how see things going and what COULD this vulnerability be used for.

    Actually Apple patched all this up on Thursday according to their site, so it is even more pointless to continue arguing.

    However, for arguements sake read these carefully, as you seem to suggest that a simple firewall/antivirus would prevent execution of code

    Resolved issues that existed with Safari:

    "An issue exists in how the Windows desktop handles executables. Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user's Downloads folder on Windows Vista, and to the user's Documents folder on Windows XP."

    "Visiting a malicious website which is in a trusted Internet Explorer zone may lead to the automatic execution of arbitrary code"

    "Viewing a maliciously crafted BMP or GIF image may lead to information disclosure"

    "If exploited, the blended flaw could allow an attacker to unleash malicious content on a victim's computer and execute the content locally with elevated login privileges by tricking a user into visiting a malicious Web site. "


    If apple wasn't concerned about this then why did they patch it, so fast, granite a lot of the blame could be put on microsoft.
    http://support.apple.com/kb/HT2092

    and also I agree with Rick that you do have a responsibility to secure your system so that this kind of thing is a nonissue. But the truth is I still see plenty of people in the security section without a simple AV product, and the keywords they use are unknowingly and trick the user. What if I write a piece of code, and inject you with it, do you think your Antivirus is going to pick that up? I just feel that people need to be informed of what is out there. That is why I help in the security section and that is why I secure so many systems for TechSpot users, it would be just as easy to be on the other side of this battle.


    Edit: Upgrade to Safari 3.1.2 for Windows if you haven't already
    Blind Dragon, Jun 23, 2008
    #26
Page 2 of 2