14 Jun 2007

Apple Safari 3.0.1 Released

1 Comment Uncategorized

Steve Jobs must have been kicking ass and taking names. Because only 3 days after the initial release, of Apple’s Safari Web Browser for Windows that had 6 security bugs known as of this article, Apple has released an updated version, version of the Safari software. According to Engadet the following bugs have been fixed with this new release.

CVE-ID: CVE-2007-3186
Available for: Windows XP or Vista
Impact: Visiting a malicious website may lead to arbitrary code execution
Description: A command injection vulnerability exists in the Windows version of Safari 3 Public Beta. By enticing a user to visit a maliciously crafted web page, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional processing and validation of URLs. This does not pose a security issue on Mac OS X systems, but could lead to an unexpected termination of the Safari browser.

CVE-ID: CVE-2007-3185
Available for: Windows XP or Vista
Impact: Visiting a malicious website may lead to an unexpected application termination or arbitrary code execution
Description: An out-of-bounds memory read issue in Safari 3 Public Beta for Windows may lead to an unexpected application termination or arbitrary code execution when visiting a malicious website. This issue does not affect Mac OS X systems.

CVE-ID: CVE-2007-2391
Available for: Windows XP or Vista
Impact: Visiting a malicious website may allow cross-site scripting
Description: A race condition in Safari 3 Public Beta for Windows may allow cross site scripting. Visiting a maliciously crafted web page may allow access to JavaScript objects or the execution of arbitrary JavaScript in the context of another web page. This issue does not affect Mac OS X systems.

This is a nice turn around time indeed, but my heart goes out to the Safari developers because they probably worked night and day for the last 72 hours, with the watchful eye of Steve Jobs over them. Good job Apple, now get some rest.

So if you feel inclined and don’t think you already have too many web browsers:

Download Safari

12 Jun 2007

Apple Safari Browser Welcomed To Real World With 6 Zero Day Exploits

1 Comment Uncategorized

Apple has just released a public beta of its Safari browser for Windows yesterday. And there have been already 6 zero day exploits and many, many crashes for the browser. You can read about them here here here and here. Which makes the following image from the Apple website, borrowed from aviv.raffon.net, all the more funny.

Apple Safari Security

Also Apple has the following to say under the Security tab of their website:

Security

Now you can enjoy worry-free web browsing on any computer. Apple engineers designed Safari to be secure from day one.

For starters, Safari uses robust encryption to ensure that your private information stays that way. When you browse a secure site, Safari displays a lock icon in the upper-right corner of the browser. If you want to know more about the credentials of a secure site, click the lock icon and Safari displays detailed information about the site’s security certificate.

Safari supports SSL versions 2 and 3, as well as Transport Layer Security (TLS), the next generation of Internet security. Safari uses these technologies to provide a secure, encrypted channel that protects all your information from online eavesdroppers. And Safari lets you use standards-based authentication such as Kerberos single sign-on and X.509 personal certificates, or proprietary protocols like NTLMv2 to log in to secure sites.

Safari also supports a variety of proxy protocols — services that help firewalls control what flows in and out of the network — including Automatic Proxy configuration, FTP Proxy, Web Proxy (HTTP), Secure Web Proxy (HTTPS), Streaming Proxy (RTSP), SOCKS Proxy, and Gopher Proxy.

I don’t know about you, but it’s one thing to say that you have designed your browser to be secure from day one, but it’s another to actually prove it. Apple has fallen flat on its face with this release, and I know it is only a beta, but Fire Fox and IE have both been in beta before and haven’t nearly had this many problems.

All that I have to say is when you venture out in to the Windows world Apple, where the market share is at 90% you are not protected by your small margins anymore.

02 Jun 2007

DRM-Free Doesn’t Equal License Free

No Comments Uncategorized

Last week Apple released iTunes Plus. Which is a higher quality download with no DRM for $1.29 US. However many people in the blogo-sphere have interpreted DRM-Free as being privacy in your purchase. However this is totally wrong way of looking at DRM:

Digital rights management (DRM) is an umbrella term referring to technologies used by publishers or copyright owners to control access to or usage of digital data or hardware, and to restrictions associated with a specific instance of a digital work or device. The term is often confused with copy protection and technical protection measures, which refer to technologies that control or restrict the use and access of digital content on electronic devices with such technologies installed, acting as components of a DRM design.

In fact DRM-Free is exactly what it means you are free to do with the song what you like but your purchase is still registered as being your purchase. A better way to think of Apple iTunes Plus program is the same way you think of the DMV, you are free to use your car however you want, no body is restricting you from loaning your car to your friend or where you can drive it and how far. Even though your car is your property free and clear of any rules, you still have to license the car, and register the VIN with the DMV. Also the license plate on the car is only checked if you are committing a crime. In the same respects Apple is no longer telling you how many times you can burn your song, or how many iPods it can be placed on, or who you can lend the song too, but the registration of the song still needs to be licensed with iTunes. They are only going to check the license if you are committing a crime with the song such as violating the EULA, which I am pretty sure includes posting to a P2P site.

So before everybody starts getting hot under the collar about your information showing up in the song you licensed from iTunes and EMI, just sit back and think for a second, about how much this doesn’t effect you. Essentially the song is there for you to share with all your friends just like a CD or anything else, however if you start posting the song publicly which is the same as playing a CD in a large venue you have violated the license agreement of your purchase and you should pay the price.

I personally congratulate Apple for taking this critical step for having a DRM free world.

My Book

RSS Mash This Podcast

  • Fiddler with Eric Lawrence
    Lee, Nick, and guest host John Sheehan chat with Eric Lawrence, the creator of the Fiddler web debugger. […]
  • The NPR API with Javaun Moradi
    As the Product Manager of APIs at NPR, Javaun Moradi is the man who makes sure legions of National Public Radio fans get their fix. […]
  • Mashape with Augusto Marietti
    Guest host Justin Rusbatch joins the Mash This team to speak to Augusto Marietti, co-founder and CEO of Mashape, the marketplace for cloud APIs. […]

Sponsor