Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Safari nogoodi?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI 2.0 Beta

This thread has been marked as locked.
Midnight_Voice Safari nogoodi?
Member 23rd Nov, 2010 21:21
Ranking: 50
Posts: 89
User Since: 1st Oct, 2010
System Score: 96%
Location: UK
My W7 machine popped up a dialogue a little while ago, offering me a new version of Safari.

As my Secure Browsing tab (now hidden in PSI 2 unless you tick a box under Settings, chiz, chiz) told me Safari was insecure, I was pleased to be offered this update, and installed it.

Now Safari is 5.0.3 (7533.19.4)

However, Secure Browsing still shows Safari as unpatched and vulnerable.

Unless I double-click the Safari line, when it says 'The program was detected as Patched and thus you do not need to install any security patches for this program'.

Can't both be right, can they? So which is it - safe or not?

--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz

mogs RE: Safari nogoodi?
Expert Contributor 23rd Nov, 2010 21:39
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Below is a copy of the Secunia Advisory :-http://secunia.com/advisories/product/30282/


If you have information about a new or an existing vulnerability in Apple Safari 5.x then you are more than welcome to contact us.

Vendor, Links, and Unpatched Vulnerabilities

Vendor Apple

Product Link View Here (Link to external site)

Affected By 4 Secunia advisories
47 Vulnerabilities

Monitor Product Receive alerts for this product

Unpatched 25% (1 of 4 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Apple Safari 5.x, with all vendor patches applied, is rated Less critical .


So, the browser is patched as much as you can do at the moment....tho' still has a vulnerability which shows up in the Secure Browsing tab.


--
Was this reply relevant?
+2
-0
Midnight_Voice RE: Safari nogoodi?
Member 23rd Nov, 2010 22:20
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
Last edited on 23rd Nov, 2010 22:22
@mogs

Thanks.

I had already chased the Secunia reference and read that page you quote, though I was completely unable to discover from it which version of Safari 5.x Secunia thought was the latest.

Though perhaps it is there somewhere; they do give such details for other vulns, I see.

But that being so, I don't know if Secunia are behind the curve with this latest Safari, or whether they or some other vuln researcher(s) have had an advance copy of it and determined that the issue still exists.

I'm sure your interpretation of what Secunia are saying is correct: 'This copy of Safari, whether vulnerable or not, is fully patched, so there is no more you can do at present'

Or possibly 'This copy of Safari, though still vulnerable, is fully patched, so there is no more you can do at present'

Or even 'This copy of Safari is no longer vulnerable, is fully patched, and there is no more you need do at present'

(whichever is Secunia's best estimate of the situation).

But none of these are what they do say.... :-(

--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+0
-0
mogs RE: Safari nogoodi?
Expert Contributor 23rd Nov, 2010 22:25
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 23rd Nov, 2010 22:26
If it wasn't fully patched as much as is possible it would show as Unpatched and vulnerable in Secure Browsing.

--
Was this reply relevant?
+0
-0
Midnight_Voice RE: Safari nogoodi?
Member 23rd Nov, 2010 22:26
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
Last edited on 23rd Nov, 2010 22:36
on 23rd Nov, 2010 22:25, mogs wrote:
If it wasn't fully patched as much as is possible it would show as Unpatched and vulnerable in Secure Browsing.


It does - its Status says 'Unpatched, no vendor solution', Criticality is two greens, and Secunia Advisory is SA40110.

Double-clicking the line gives the contradictory message I quoted earlier.

At the top line for Safari-as-browser (as distinct from the detail Safari line within that, which I perhaps should have made it clearer is what I was talking about before) it says 'Not secure for browsing', though the traffic lights seem to be based on the much more severe Quick Time vulnerabilities, logically enough.

Though perhaps what you are describing is the display being different in a way I haven't yet seen anywhere?

--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+0
-0
mogs RE: Safari nogoodi?
Expert Contributor 23rd Nov, 2010 22:45
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
But if you click twice on the entry in the Scan Results.....do you get a panel up with Quick facts about Safari ?
Is there an explanation in it ?

--
Was this reply relevant?
+0
-0
Midnight_Voice RE: Safari nogoodi?
Member 23rd Nov, 2010 23:06
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
on 23rd Nov, 2010 22:45, mogs wrote:
But if you click twice on the entry in the Scan Results.....do you get a panel up with Quick facts about Safari ?
Is there an explanation in it ?


Yes - it's the same panel as I see when clicking the program Safari under the browser Safari under Secure Browsing, with the same details.

However, Safari under Scan shows Patched, Threat Rating '-' Detected Version '5.33.19.4', Latest Patched Version '5.0.3' and Install Solution 'Up-to-date'

So it's shown as a threat in the Browser display, but not in the Scan display.

--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+0
-0
mogs RE: Safari nogoodi?
Expert Contributor 23rd Nov, 2010 23:16
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
So.....psi is recognizing the fact that you have the current up to date version ? That it is patched as much as is available ?
For Browsing purposes, it still points out that it has a vulnerability.
It is not contradicting itself.

--
Was this reply relevant?
+1
-0
Midnight_Voice RE: Safari nogoodi?
Member 23rd Nov, 2010 23:52
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
on 23rd Nov, 2010 23:16, mogs wrote:
So.....psi is recognizing the fact that you have the current up to date version ? That it is patched as much as is available ?
For Browsing purposes, it still points out that it has a vulnerability.
It is not contradicting itself.


I see. Threat Rating on the Scan is only shown if the program is rated as Insecure, and it's only rated as Insecure if there is a later version known to Secunia that patches a known vulnerability in your current version.

But the display on Secure Browsing works in what, to me, is the logical way, showing if a program has vulnerabilities or not, whether it has patches or not.

Well, it's what the manual says, and I see the logic of it, especially for the less technical users Secunia will be trying to support in PSI 2.0.

But I think it's crazy. The only way to know if any of your programs are vulnerable, but don't yet have vendor patches, is to explicitly click on each one in turn and see if there is a Secunia Advisory in a demure blue listed under Online References. Instead of it being out there on the Scan display and clearly visible as a traffic light.

OK, keep it like it is for non-techies, but @Secunia, can we please have a setting option for us techies that will make the traffic lights on the Scan display work like the ones on the Secure Browsing display?

--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+1
-0
Anthony Wells RE: Safari nogoodi?
Expert Contributor 24th Nov, 2010 11:39
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Hi ,

The reason that the "secure browsing" is now hidden in settings is that when it wasn't :eg: in 1.5.0.2 , it resulted in many long threads like this one . It was dropped from the first Beta's and reinstalled after much outcry in the later one's . It's placing as needing to be selected in settings means that this is the first thread I have noticed where confusion has again been voiced .

Mog's explanation , here , is consistent and reads correctly . The logic of the PSI's words need to be read in the context of their placement :ie: results or secure browsing .

M_V's requset that all programmes that are insecure and unpatched with no solution should be displayed by the PSI has been raised several times in other threads - preferably in a separate list as per "secure browsing" - but Secunia support has said this is unlikely , as apparently it clashes with their commercial programmes (VIM 3.0 probably) ; but they have not given any further detaiied Info .

Hope that is clear .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
Midnight_Voice RE: Safari nogoodi?
Member 27th Nov, 2010 17:54
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
on 24th Nov, 2010 11:39, Anthony Wells wrote:
Hi ,

The reason that the "secure browsing" is now hidden in settings is that when it wasn't :e.g.: in 1.5.0.2 , it resulted in many long threads like this one . It was dropped from the first Beta's and reinstalled after much outcry in the later one's . It's placing as needing to be selected in settings means that this is the first thread I have noticed where confusion has again been voiced .

Mog's explanation , here , is consistent and reads correctly . The logic of the PSI's words need to be read in the context of their placement :ie: results or secure browsing .

M_V's request that all programs that are insecure and unpatched with no solution should be displayed by the PSI has been raised several times in other threads - preferably in a separate list as per "secure browsing" - but Secunia support has said this is unlikely , as apparently it clashes with their commercial programs (VIM 3.0 probably) ; but they have not given any further detailed Info .

Hope that is clear .

Take care

Anthony


Thanks Anthony; clear but disappointing.

Please excuse me for being a newbie here, and so not having seen this issue being done to death before. But as regards computer software (where I am not a newbie!), a situation like this should alert Secunia to the fact that its customers are trying to tell it something, and they should perhaps listen.

Secunia's wish that free software should not cannibalise their sales of the paid-for stuff is entirely understandable. But I've looked at both VIM and CSI, and I can't see how adding this oft-requested capability to PSI would affect sales of either. Both CSI and VIM address an entirely different market from PSI, AFAICS.

So PSI is actually a vuln patchability reporter; not an update reporter (fair enough, other products do this) but not a vuln reported either, at least as far as Scan goes; there needs to be both software on your machine with a vuln, and newer software that addresses that vuln, before PSI will trigger.

But 'Secure Browsing' works like I expected Scan to; and Secunia trying to remove it from the latest PSI makes it sound as if their thinking is 'We keep getting asked if Scan could work like Secure Browsing, but we don't want to do that; let's remove Secure Browsing, and hope then that no-one in future is prompted to ask if PSI Scan could work like that, or point out that it can't be hard to do if Secure Browsing can do it'

Or am I being tendentious? :-)




--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+0
-0
Anthony Wells RE: Safari nogoodi?
Expert Contributor 27th Nov, 2010 20:43
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi again M_V ,

I personally feel as strongly as you ; many people/posters joined in to get "secure browsing" reinstated .

Secunia have always stated that they want everybody to feel able to patch and that the PSI must first help the most needy ; hence the ebb and flow of the "secure browsing" module .

In a similar vein , Secunia support have removed from the scan , embedded problems with no specific patch available but with known (to some/many (?!)) "work arounds" because of the amount of discussion/confusion it has generated in the threads ; the confusion is for both technically competent and the not - so there may be a point there , relative to the SA's ; Secunia have always stated that the embedded programme's vulnerability is the responsibility of the vendor of the entire programme .

Like I said , regarding listing all "insecure, no solution" programmes Secunia have not clarified the "commercial conflict" since I last asked ; I consider that this is an important security tool that is being missed out .

I know they listen , but they also have their own agenda upon which they act ; plus they like to surprise the punters with what they come up with anew . Dark Danish humour :))

Haven't noticed you being overbearing/tendentious ; everyone's opinion is valid in feedback :))

Take care

Anthony




--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer