System Specs Object on Forums Doesn't Work in Safari

Obi-Wan Jerkobi

Posts: 478   +0
Has anyone else noticed this in Safari on PC? I just thought I'd ask to see if there was any way to fix it or is it just a quirk with the browser. :)
 
Sorry I didn't clarify that.

It actually wont show system specs on a persons post. There's no little arrow next to "System Specs", it actually doesn't function. I even see the url add "#sysinfo" to the end but still nothing shows up. I can change my specs ok, I just can't view them outside the options and full profile view.
 
In Opera 9.x the system specs doesn't show up on your post right after you post it. It does for all the other posts in the thread. A refresh allows the pulldown menu though.

specspulldown.jpg
 
We will be upgrading the vBulletin version soon. Since we use their javascript code to show the system specs on the drop down that may have been already addressed. We will see then.. ;)
 
That is a bit misleading Blind Dragon. It hasn't been observed in the wild yet, so it is still only a proof of concept.

I wouldn't be too scared of that exploit, it can't execute the files it downloads, you'd still have to do that manually. Hopefully you have an idea of what you have downloaded. It also appears you have to go to a specifically crafted page.

The 'security through obscurity' thing is probably going to make this a non issue considering how Safari has even less of a Windows user base than Opera. I am aware this affects OS X users too, but the design of the OS makes it impossible to deliver an executable (app file), they have to come in a container of some sort, which the user has to take action to do anything with it, and then even after that Leopard will warn you before you launch any program which you have downloaded for the first time, giving you details on it.
 
Well, if you are going to keep using safari here is the recommendation they make.

"On May 30, Microsoft issues a security advisory that recommends users avoid using Safari until researchers have looked into the browser, and until appropriate updates are provided by either Microsoft or Apple. For ardent observers of the MS-Apple rivalry, it is easy to speculate about the motives behind such an advisory –but users should not lose sight of the real issue: that although this vulnerability exists in the POC realm, it might give hackers just the kind of scenario they might find useful in future attacks. Users are encouraged to change the download location of files by editing user preferences in Safari."
 
I read the security advisory on Microsofts site. "At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. "

Then also:
Mitigating Factors:•
Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.

It is a good scare story because it can happen, but it isn't happening across the web as of now and even if it was the user still would have to run the downloaded files manually. Its really a non-issue that is getting blow up to be this huge problem in the 'blogosphere'.
 
You all can do what you want. I however, feel the need to at least warn people before they show up in the security section asking me why their desktop has new icons on it.


You are right the last quote there is from trend micro

---------------------------------------------------------------

I would call it more than a non-issue. Basically it appears that there are a number of security flaws playing on this one.

Safari doesn’t ask for user permission when downloading resources, which makes an easy target for Iframe attack.

Safari automatically downloads the files multiple times, storing copies of these in said folders without first waiting for user commands or showing some dialog box informing the user of what is happening.

It allows attackers to litter a victim's desktop with executable files

Security researcher Aviv Raff said that if this flaw is exploited in combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim's computer.

Obi-Wan Jerkobi said:
I do believe this equally can happen in IE7 as well? :p
More reason to stick with firefox. Especially with the new version fixing to be released
 
You can warn people that the potential for something bad to happen is there. What I don't like is seeing you wording it like the user needs to not use it or they will be comprimised. Not fully explaining it just perputates fear and spreads a bad word about Safari. Tons of exploits in software and operating systems are revealed all the time, many times weeks or months go by before they are officially fixed, if there is a real and present threat they will get more attention and fixed sooner. Microsoft's page on this indicates that they may release something to fix this when really it should be Apple doing it, but if Microsoft says that they may have the ability to do something on their end, if they deemed it serious enough they probably would. Apple hasn't fixed it because they don't see it as a big problem right now. I side with both Microsoft and Apple on this because it isn't a big problem right now, there are no cases where this exploit has been used outside of proof of concept yet. There is no need for an alarmist tone.

Beyond all that, its simply fixed by changing the default download directory. If anything you should warn people and tell them how to protect themselves. Rather than simply telling them their browser of choice shouldn't be used. I would suggest Opera 9.5 if Safari absolutely had to be avoided, but it doesn't.
 
Well that is my opinion. That an alarmist tone is needed. I don't really want to argue over something so minimal. The information for people to form their own opinions is in this thread, both through our post and the links provided. I personally would not use the browser until the patch is released, but that is my opinion. Our readers should and will form their own opinions, and no matter what you or I say, in the end some will still use p2p, they will still not use a 3rd party firewall, and they will still use a compromised browser.
 
I couldn't disagree with your stance more, but so be it. I'm going to go ahead and close the thread since Julio already answered what this was about, and all further discussion was off topic.
 
Sorry to bring this back, but its reopened for rebuttal of this post.

I hope you take the same 'Alarmist tone' with this that you found absolutely necessary for Safari. Safari's could even be rendered moot by changing the download directory, which was made known by Apple. Mozilla is sitting tight on this until they can get a patch out, leading me to believe that there isn't a simple end user fix.

But how is this any different from what I was describing with that issue in Safari?
Firefox 3 Vulnerabilities Could Affect Over 14 Million Computers - Security Flaws Discovered in Firefox 3.0
Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page."

In response to this security report, Mozilla Security Blog posted, "This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the current risk to users".

If other security reports are taken into account, like the one found on SecurityFocus website which deals with an unspecified buffer overflow vulnerability (boundary condition error), the new security improvements from Firefox 3.0 are not powerful enough for present pishing and malware threats. In conclusion, having in mind that over 14 millions downloads of Mozilla Firefox 3.0 have been performed, users' computers are in potential danger until the security patches are released to fix the existing vulnerabilities.
 
Apple made public a way to prevent the exploit. It was something anyone could do, change the default download directory.
 
You stance has changed depending on which browser it is. As you noted, there is a way to immunize Safari. Yet you still recommended not using the browser until it is fixed. Here we have an undisclosed exploit(s) in FF and your recommendation is to use Spyware Blaster? Why the change of heart?
 
If the firefox exploit gets released publicly I will take the same stance, don't use it until they release a patch. But until that happens and nobody knows what this exploit is, then I suggest installing spyware blaster, put a check on the firefox tab, and select immunize from all checked.

I use multiple browsers and really have no preference except that I don't like Internet explorer, due to the fact that it is a target for exploits. I like Safari, Opera, and Firefox and have all 3 installed on this machine that I am typing on.

My suggestions are my opinions on playing it safe rather than being sorry later. I have seen to many exploits in the past that go public then some *****s figure out how to use them.
 
To those of you reading, keep on using Safari or whatever it is. Your only real protection here is a firewall. Here's why...

Security researcher Aviv Raff said that if this flaw is exploited in combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim's computer.
Wow, if this isn't just silly...

What exactly could NOT be used in conjunction with bugs in Windows and IE? If someone has their system compromised at the shell level, then their problem clearly isn't with Safari. There are plenty of other nasty things that could be done through these things that wouldn't even begin to include Safari.

Not using Safari in this case is like plugging up a single hole on your swiss cheese boat. It doesn't solve the underlying issue and it does not make you any safer.

I'm sure someone has mentioned this here, but the exploit allows a file to be copied to your download folder without your permission. The second half of the exploit relies on OTHER exploits to run the file. That means your computer has to be compromised in addition to this exploit being performed before it is of any concern.

Of course, it could be the most malicious program ever written, but if no one can execute it, then no one needs to worry. Your personal safety is up to you and whether or not your system is reasonably secure (firewall & antivirus).
 
Ok, you all win.

No more pointless security updates from me.

In fact, maybe I am not ready to help in the security section yet.
 
I vote for Blind Dragon, even if he's wrong.
If he's found to be wrong, we should change the ruling on all sites to reflect his way.

Blind Dragon's just too damn good at the security and the web area.
 
Nobody is saying you are unqualified for the Security forum. And since you are helping an immense number of people in there it would be a shame for you to get upset and quit because a couple people disagree with your position on this.

But here is the facts once again. The exploit for Safari has been publically released, it still isn't found 'in the wild', and no patch has been released since Apple doesn't think it is a big deal because the user can just change the default download directory and the exploit is gone. The only way this can actually mess you up is if you got some malicious executables through the exploit, then either you ran those yourself, or you got hit also by the IE/Windows problems. That seems extremely unlikely, and even at that it would still have to get past your AntiVirus.

Now the FF one, its undisclosed, which is fine because it hasn't been publically released, but we have no idea how bad it is, or who all knows about it. But it too hasn't been found 'in the wild' yet. As of now we don't know the potential harm from it, and that should induce some caution.

Based on this, I would expect you to also say you wouldn't recommend using Firefox until it is patched just as you did with Safari. But in essence you can patch the Safari one yourself. Then there is absolutely no harm in running Safari still.

So the way I see it, you can change the dl directory for Safari and be safe from that problem. The Firefox issue we have no idea how harmless or harmful it could be, so if anything, Firefox should be the one you don't use until it is fixed.

I suspect that you have some passion behind Firefox, you've used it for quite some time, and with good reason left IE5 or IE6. I feel the same about Opera. But I also suspect there is some anti Apple behind this as well because I don't see how you can take the stance you did with Safari and not here with Firefox. Your statement when you first brought this up was "Safari has been hit hard lately by the malware writers." when that really isn't true because nobody has even seen this happening. I pointed that out in my first reply after you posted.

I'm just trying to defend a browser here that has few defenders. This is nothing personal against you, I would have posted my same replies to anyone else.
 
Back