navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Incorrect version recommendation

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Apple
And, this specific program:
Apple Safari 5.x

This thread has been marked as locked.
bfdi533 Incorrect version recommendation
Member 8th Aug, 2011 18:44
Ranking: 0
Posts: 2
User Since: 8th Aug, 2011
System Score: N/A
Location: US
Last edited on 8th Aug, 2011 18:44

Program Name:
Apple Safari 5.x

Security State:
Insecure

Download Link:
http://www.apple.com/safari/download/

Instances Found:
C:\Program Files\Safari\Safari.exe, version: 5.33.21.1

Last System Scan (localtime):
2. Aug 2011, 13:19

Operating System:
Microsoft Windows XP Professional, Service Pack 3

PSI is recommending version 5.0.6 as a replacement for the current version. This is a lower version number that that already installed.

mogs RE: Incorrect version recommendation
Expert Contributor 8th Aug, 2011 19:21
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 8th Aug, 2011 19:22
@bfdi533

There seems to be some explanation here from a previous occasion...given by a Secunia official: regarding version numbering :-
http://secunia.com/community/forum/thread/show/716...

Tho' I think I should also point out, that according to the Secunia Advisory here, both versions would still seem to be vulnerable :-
http://secunia.com/advisories/product/30282/

Hope the foregoing offers some help......regards,

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Incorrect version recommendation
Expert Contributor 8th Aug, 2011 19:46
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

@bfdi533 ,

The download link offered by the PSI in your troubleshoot report takes you to the Safari website and offers you the download of version 5.1 . The downloaded installer .exe file shows as version 5.34.50.0 .

So the "metadata confusion" as discussed by the Secunia official (as linked by Mogs) would seem to continue , but at least the download file seems correct .

You may wish to advise Secunia direct at support@secunia.com if the PSI display continues to state/recommend 5.0.6 as opposed to 5.1 - (I am unable to see this , so cannot comment) - if they do not pick up this thread , here , tomorrow (CET) .

Hi Mogs ; trust you are well . Yachida .

Take care .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
mogs RE: Incorrect version recommendation
Expert Contributor 8th Aug, 2011 19:54
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Hi Anthony ! Quite well thanks...need a bit more physical exercise....wear the rubber down on my shoes more often ! Glad you're in good spirits.
Thanks for enlarging 'pon the Safari discrepancies....regards/best wishes......

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Incorrect version recommendation
Expert Contributor 8th Aug, 2011 20:06
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi again to you both ,

I have just noticed in SA45325 that both versions 5.0.6 and 5.1 are said to patch/update the vulnerability . By Secunia detection rules , the PSI will continue to suggest that 5.0.6 is the "first" version to deal with the problem and assume that 5.1 is a bug/eye candy fix . This will continue as long as 5.0.6 is supported and is fully patched , even/especially if 5.1 is a platform change and even if the link goes to 5.1 , the PSI may well try to offer 5.0.6 . but that will be conditional on the Safari website . Confusing , but there you go :))

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
Maurice Joyce RE: Incorrect version recommendation
Handling Contributor 8th Aug, 2011 21:19
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I have installed Safari on my test PC (XP SP3).

The link given by Secunia PSI in your report to update takes U to the download page.

What that download link did.

1. Installed version 5.34.50 for Safari & version 2.1.3.127 for the updater.

2. A check of the Browser "about" is consistent with that download in revealing version 5.1 (7534.50).

3. A full PSI rescan revealed that version 5.34.50 is patched.

4. Checking the Secure Browsing Section reveals there is an outstanding vulnerability under SA40110.

This is consistent once again in that you, as a user, have done all U can to patch Safari hence it shows as patched in the main window & vulnerable in the Secure Browsing Section (for use by advanced users)

5. Details of the outstanding vulnerability is here:

http://secunia.com/advisories/40110/

which also gives a link to here:

http://secunia.com/advisories/39670/

File numbering are also consistent:

The application file in Windows Explorer is 5.34.50 which matches the PSI meta data. The "about" feature within the browser is listed slightly differently but has the core element of 5.17534.50.

Nowhere on my test can I find the error reported where PSI is advising a download of 5.0.6. Where did U find that information?






--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
bfdi533 RE: Incorrect version recommendation
Member 9th Aug, 2011 17:09
Score: 0
Posts: 2
User Since: 8th Aug 2011
System Score: N/A
Location: US
Thank you all for the feedback. Seems that the links, as stated, are correct for the 5.1 update and that PSI still offers the earlier, lower, version number in its recommendation. At least MY confusion is now cleared up even if PSI is still confused.

Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+