Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Safari 4.x Secure Browsing Glitch?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
Arenlor Safari 4.x Secure Browsing Glitch?
Member 24th Dec, 2009 17:53
Ranking: -58
Posts: 16
User Since: 30th May, 2009
System Score: 100%
Location: US
It is referencing http://secunia.com/advisories/33495/ and saying Safari is insecure. CVE references http://marcell-dietl.de/index/adv_safari_4_x_js_re... which gives an example of how to cause the crash. I tried this and it does not work. I actually have an example up: http://xn--5dbhlm7d.com/safari-crash/

--
Helping Secunia not be Scareware.

thedillpickl RE: Safari 4.x Secure Browsing Glitch?
Contributor 28th Dec, 2009 03:44
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Last edited on 10th Jan, 2010 03:27
Hi arenlor;

I wouldn't be too concerned. Secunias definiton of a level 1 threat is,

"Not Critical (1 of 5)
Typically used for very limited privilege escalation vulnerabilities and locally exploitable Denial of Service vulnerabilities.

This rating is also used for non-sensitive system information disclosure vulnerabilities (e.g. remote disclosure of installation path of applications).".

If you look under the "Patched" tab, I'm sure you'll find scary threats that will make you forget all about your browser!


Fred
.

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-0
Arenlor RE: Safari 4.x Secure Browsing Glitch?
Member 28th Dec, 2009 04:13
Score: -58
Posts: 16
User Since: 30th May 2009
System Score: 100%
Location: US
My issue is simply that there is no problem. Not even a level 1 issue. Nothing happens. I even give a link to a page that was created using the reporter's directions, doing exactly what he says in order to cause the problem, and it is not reproducible. Unless I'm missing something I think that Secunia needs to remove the advisory.

--
Helping Secunia not be Scareware.
Was this reply relevant?
+0
-0
thedillpickl RE: Safari 4.x Secure Browsing Glitch?
Contributor 1st Jan, 2010 22:22
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Hi Arenlor;

I'm not meaning to be disagreeable, so forgive me. It is possible that the problem could happen on another system. The browser may react differently on computers of varying model & manufacture, not to mention a multitude of software combinations.

Let's be grateful the problem dosn't seem to affect you system.


Happy New Year!

Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-0
Arenlor RE: Safari 4.x Secure Browsing Glitch?
Member 2nd Jan, 2010 01:31
Score: -58
Posts: 16
User Since: 30th May 2009
System Score: 100%
Location: US
Just reread it and noticed, it's for an old version of Safari. I have 4.0.4 (531.21.10) and it's for 4.0 (530.17). Still it's in my secure browsing tab as being vulnerable to it. I think they are just having trouble identifying that I'm on a new version of Safari. This is still an issue since they could be directing people away from Safari.

--
Helping Secunia not be Scareware.
Was this reply relevant?
+0
-0
thedillpickl RE: Safari 4.x Secure Browsing Glitch?
Contributor 2nd Jan, 2010 03:40
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Last edited on 2nd Jan, 2010 03:43
Hi Arenlor;

I understand you have a concern to protect the good name of Safari, but other browsers have bigger problems so I'm unsure where Secunia would be directing them.

To address your problem at hand, PSI is more than likely detecting an older copy of Safari if you have a backup partion on your hard drive, or a leftover bit from an earlier install.

What is the version of Safari being reported by PSI?

In PSI, click on the "Patched" tab, click on the [+] to the left of Safari, click on "Technical details". What is the installation path?


Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-0
Arenlor RE: Safari 4.x Secure Browsing Glitch?
Member 2nd Jan, 2010 04:32
Score: -58
Posts: 16
User Since: 30th May 2009
System Score: 100%
Location: US
C:\Program Files\Safari\Safari.exe and version 4.0.4
No other version is detected and I don't keep backups on my computer, and don't keep my backup drive hooked up. I went through Secure Browsing and clicked on Safari through there and it led me directly to the entry as stated above. So they are detecting the current version. My theory is that Apple fixed the bug and Secunia doesn't realize it yet.

--
Helping Secunia not be Scareware.
Was this reply relevant?
+0
-0
Anthony Wells RE: Safari 4.x Secure Browsing Glitch?
Expert Contributor 2nd Jan, 2010 13:25
Score: 2425
Posts: 3,314
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 2nd Jan, 2010 13:28
Page 2 of the Secunia Advisory explains that the solution is the vendor work around - not a patch :-

http://secunia.com/advisories/33495/2/

Tnis means Safari has not been patched , no "patched" version is available and so it appears as it does in "secure browsing" ; the same applies to the "old" IE problem (no work around) and the current Adobe Acrobat and Reader problems (workaround available).

Hope that clears things up :))

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Arenlor RE: Safari 4.x Secure Browsing Glitch?
Member 2nd Jan, 2010 16:42
Score: -58
Posts: 16
User Since: 30th May 2009
System Score: 100%
Location: US
The "workaround" is to "patch" it to the newest version it would seem. As the new "patched" version is not vulnerable.

--
Helping Secunia not be Scareware.
Was this reply relevant?
+0
-0
Anthony Wells RE: Safari 4.x Secure Browsing Glitch?
Expert Contributor 2nd Jan, 2010 17:01
Score: 2425
Posts: 3,314
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

PSI does not check if you have used a vendor "work around" or applied any other modifications to your programme , it checks your version to see if has security vulnerability and if a new release is available which secures/patches the problem .

Safari has not released an "updated/patched" version .

The definitions of these terms are those used by Secunia .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Arenlor RE: Safari 4.x Secure Browsing Glitch?
Member 2nd Jan, 2010 17:03
Score: -58
Posts: 16
User Since: 30th May 2009
System Score: 100%
Location: US
Ok, that's what I'm saying. It HAS been updated.

--
Helping Secunia not be Scareware.
Was this reply relevant?
+0
-0
Anthony Wells RE: Safari 4.x Secure Browsing Glitch?
Expert Contributor 2nd Jan, 2010 17:10
Score: 2425
Posts: 3,314
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 2nd Jan, 2010 17:11
You (not Apple) have fixed/updated Safari by applying the workaround , others may not ; PSI does not know this so it makes you/others aware of the "unpatched" status in the "safe browsing" tab .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Arenlor RE: Safari 4.x Secure Browsing Glitch?
Member 2nd Jan, 2010 17:13
Score: -58
Posts: 16
User Since: 30th May 2009
System Score: 100%
Location: US
What workaround would that be? I do not consider updating to a newer version a workaround, if that was true then almost all programs listed in Secunia should still be marked unpatched, since you only update to a new version, not apply a patch.

--
Helping Secunia not be Scareware.
Was this reply relevant?
+0
-0
Anthony Wells RE: Safari 4.x Secure Browsing Glitch?
Expert Contributor 2nd Jan, 2010 17:27
Score: 2425
Posts: 3,314
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
on 2nd Jan, 2010 13:25, Anthony Wells wrote:
Page 2 of the Secunia Advisory explains that the solution is the vendor work around - not a patch :-

http://secunia.com/advisories/33495/2/

Tnis means Safari has not been patched , no "patched" version is available and so it appears as it does in "secure browsing" ; the same applies to the "old" IE problem (no work around) and the current Adobe Acrobat and Reader problems (workaround available).

Hope that clears things up :))

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Arenlor RE: Safari 4.x Secure Browsing Glitch?
Member 2nd Jan, 2010 18:19
Score: -58
Posts: 16
User Since: 30th May 2009
System Score: 100%
Location: US
Ok so what do they consider a patch to be then?

--
Helping Secunia not be Scareware.
Was this reply relevant?
+0
-0
Anthony Wells RE: Safari 4.x Secure Browsing Glitch?
Expert Contributor 2nd Jan, 2010 19:18
Score: 2425
Posts: 3,314
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

I have no idea as to their exact definition a I do not work for them (if by "them" you mean Secunia) .

Here's what wiki says (if you believe them) :-

http://en.wikipedia.org/wiki/Patch_(computing)

I will say that Secunia are only interested in Vulnerability/Security updates - not bug fixes or eye candy .

If your build DID contain a solution (patch) for the vulnerability shown in SA33495 then Secunia SHOULD have updated that advisory to show that installing/updating to your version fixed the problem ; that the work around (which is not a piece of software) is not needed and show your version as "patched" in "secure browsing" with no reference to the SA ; it would show your build still in the "patched" tab and any older versions in the "insecure" tab .

If that is not the case , then one of you is wrong . If you think it is Secunia , I suggest you take it up with Secunia and Apple direct .Let us know how you get on .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
thedillpickl RE: Safari 4.x Secure Browsing Glitch?
Contributor 2nd Jan, 2010 22:40
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Hello;

@Arenlor: I do not completely comprehend your apparent need to do battle with symantics. If you desire to understand why Secunia is showing Safari as insecure (r. http://www.merriam-webster.com/dictionary/insecure The first definition applies here.) please take a breath and reread what Anthony has posted above. I could drone on, repeating what was already said, but to what end? If, on the other hand, your wish is for persons on this forum to simply agree with your view, so be it. You are correct, the rest of us are wrong. Feel better?

@Anthony: Good job sir.


respectfully;

Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-0
Anthony Wells RE: Safari 4.x Secure Browsing Glitch?
Expert Contributor 2nd Jan, 2010 23:00
Score: 2425
Posts: 3,314
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello Fred ,

Is that semantics or symantecs or simply a cold wind from the norton , which we call a mistral , but is a mystery to others !!

Take care
Anthony :))

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Arenlor RE: Safari 4.x Secure Browsing Glitch?
Member 2nd Jan, 2010 23:03
Score: -58
Posts: 16
User Since: 30th May 2009
System Score: 100%
Location: US
Well, I'm here informing you, Safari has been patched, and is quite secure. Don't worry, I'll make sure that Apple gets in touch with Secunia. The neat thing about our legal system is that it allows one company to sue the other for slander.

--
Helping Secunia not be Scareware.
Was this reply relevant?
+0
-0
Anthony Wells RE: Safari 4.x Secure Browsing Glitch?
Expert Contributor 2nd Jan, 2010 23:05
Score: 2425
Posts: 3,314
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

You probably mean libel .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Arenlor RE: Safari 4.x Secure Browsing Glitch?
Member 2nd Jan, 2010 23:07
Score: -58
Posts: 16
User Since: 30th May 2009
System Score: 100%
Location: US
It's like taking someone to court for abuse, you have to specify what type, and provide examples of it. They would sue for libel because of slander, and use Secunia listing them as insecure as evidence.

--
Helping Secunia not be Scareware.
Was this reply relevant?
+0
-0
Anthony Wells RE: Safari 4.x Secure Browsing Glitch?
Expert Contributor 2nd Jan, 2010 23:08
Score: 2425
Posts: 3,314
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

I think you mean defamation .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Arenlor RE: Safari 4.x Secure Browsing Glitch?
Member 2nd Jan, 2010 23:09
Score: -58
Posts: 16
User Since: 30th May 2009
System Score: 100%
Location: US
Then prove it.

--
Helping Secunia not be Scareware.
Was this reply relevant?
+0
-0
Anthony Wells RE: Safari 4.x Secure Browsing Glitch?
Expert Contributor 2nd Jan, 2010 23:13
Score: 2425
Posts: 3,314
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
In law, defamation—also called calumny, vilification, slander (for spoken words), and libel (for written or otherwise published words)—is the communication of a statement that makes a claim, expressly stated or implied to be factual, that may give an individual, business, product, group, government or nation a negative image.

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
thedillpickl RE: Safari 4.x Secure Browsing Glitch?
Contributor 3rd Jan, 2010 00:59
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Last edited on 3rd Jan, 2010 01:08
Arenlor;

sec.1, par.1
Be forewarned, I am armed with a book that is called a dictionary.

dictionary http://www.merriam-webster.com/dictionary/dictiona...


sec.1, par.2
One would assume that a multi-jurisdictional international attorney, such as yourself, being able to litigate in a lawsuit between two major corporations would avail himself/herself of said book (sec.1,par.1). But, as you have chosen to proceed ill-prepared, by all means, allow me.


sec.2, par.1
stated by Arenlor on 2nd Jan, 2010 23:03
"The neat thing about our legal system is that it allows one company to sue the other for slander."

Slander, it seems, is spoken, audibly.

slander http://www.merriam-webster.com/dictionary/slander
Function: transitive verb
: to utter slander against : defame

utter http://www.merriam-webster.com/dictionary/utter
Function: verb
2 a : to send forth as a sound <utter a sigh> b : to give utterance to : pronounce, speak <refused to utter his name> c : to give public expression to : express in words <utter an opinion>

Can you present a witness that heard a Secunia representitive say anything slanderous about Apple Safari?


sec.2, par.2
stated by Anthony Wells on 2nd Jan, 2010 23:05
"You probably mean libel ."

Libel is a written (or possibly oral, see defintion 2 below) statement.

libel http://www.merriam-webster.com/dictionary/libel
Function: noun
1 a : a written statement in which a plaintiff in certain courts sets forth the cause of action or the relief sought b archaic : a handbill especially attacking or defaming someone
2 a : a written or oral defamatory statement or representation that conveys an unjustly unfavorable impression b (1) : a statement or representation published without just cause and tending to expose another to public contempt (2) : defamation of a person by written or representational means (3) : the publication of blasphemous, treasonable, seditious, or obscene writings or pictures (4) : the act, tort, or crime of publishing such a libel

So it seems, Arenlor, you would sue for libel.


sec.2, par.3
Score: Arenlor 0; Anthony 1


sec.3, par.1
stated by Arenlor on 2nd Jan, 2010 23:07
"They would sue for libel because of slander, and use Secunia listing them as insecure as evidence."

Again, you would sue for libel because of libel, as the Secunia listing is written, albeit digitally recorded. Slander is spoken libel.


sec.3, par.2
stated by Arenlor on 2nd Jan, 2010 23:07
"They would sue for libel because of slander..."

stated by Anthony Wells on 2nd Jan, 2010 23:08
"I think you mean defamation."

defamation
Function: noun
: the act of defaming another

defame
Function: transitive verb
Inflected Form(s): de·famed; de·fam·ing
2 : to harm the reputation of by libel or slander


sec.3, par.3
Score: Arenlor 0; Anthony 2


sec.4, par.1
stated by Arenlor on 2nd Jan, 2010 23:09
"Then prove it."

I just did.


Fred

p.s. @Anthony: Didn't intend to butt in, couldn't help myself.

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability