Apple Security Updates – Safari for Macs

Apple security updates

safari logo

Safari 6.1.3 and Safari 7.0.3 – April 1, 2014

Affects

  • OS X Lion and OS X Lion Server v10.7.5
  • OS X Mountain Lion v10.8.5
  • OS X Mavericks v10.9.2

About the security content of Safari 6.1.3 and Safari 7.0.3 – HT6181:

This document describes the security content of Safari 6.1.3 and Safari 7.0.3.

This update can be downloaded and installed using Software Update, or from the Apple Support website.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see “How to use the Apple Product Security PGP Key.”

Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see “Apple Security Updates“.

Safari 6.1.3 and Safari 7.0.3

  • WebKit
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
    Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling

More in the KB HT6181 article about the specific CVE-IDs addressed.

 

According to ITWire article:

Specific changes called out by Apple are a fix for an issue that could cause the search and address field to load a webpage or send a search term before the return key is pressed, support for generic top-level domains (so that Safari loads the requested page instead of treating it as a search term), and strengthened Safari sandboxing.

Very important update.

Advertisements

Disable Java – Windows, Mac, Linux

US Department of Homeland Security advises disabling Java following fresh zero-day vulnerability – The Verge

A new Trojan horse has been discovered that exploits a flaw found in Java, leaving computers running Windows, Mac OS, and Linux vulnerable to attack. Mal/JavaJar-B allows attackers to remotely trigger code once it infects a system, potentially leading to the installation of malware, or even ransomware. Oracle hasn’t yet patched the vulnerability, which targets even the latest version of Java.

US-CERT RECOMMENDS THAT USERS DISABLE JAVA IN WEB BROWSERS

Apple has already taken care of this on the Mac by updating to disallow all Java except including the new one that hasn’t even been released yet. Excellent move from Apple.

Firefox and Google Chrome has had you click to even use Java for awhile now. From my experience, I believe that includes the current version of Java as well. As noted above, Firefox now includes the current version of Java in their blacklist. You have to personally choose to actually use Java using their Click to Play feature. Thank you Mozilla!

Google Chrome has instituted on December 21, 2012, noted in their blog posting, a feature that disallows silent extension addon installations. I believe this is something that Mozilla did some time ago when they experienced problems with it. Or maybe not.

So you will definitely want to disable Java in all browsers in Windows, Linux and on the Mac just to be safe for now.

Internet Explorer now allows you to disallow plugins by default and only allow those you specifically allow. But if you have allowed Java in the past, you will want to disable it:

How to Disable Java – PCMag

The PCMag article gives instructions for all the main browsers. Check it out and please for your sake don’t use a browser for general use that allows Java at least for now.

Disable it in at least one browser that you can use for general purpose use.

Whichever method you choose, visit the Java test page at http://java.com/en/download/testjava.jsp to confirm that Java is disabled. Yes, you’ll occasionally run across a website that relies on Java. If necessary, you can temporarily enable Java for those sites. But you may be surprised at how little you miss it.

More here at Security Garden, Dottech.org (How to/tutorial with images) and Venture Beat as well.

I have Java totally disallowed in my main browser, and enabled in one of my other browsers so I can still go to Secunia.com to use their OSI (Online Security Inspector) to check plugins and Internet facing programs. I also compare that with Firefox’s plugin checker. This in Windows. On my Mac, I have Java disabled in all but one browser and turn Java on and off as needed overall. In Linux Java is also disabled in my main browser.

This is very important until Oracle gets this updated and is quick to fix these vulnerabilities.

Oracle really needs to get on the stick before they and all the programs that make use of them are made obsolete! And there are millions of them!!!

EDIT: As of 1/11/2013 – Added Mozilla’s and Apple’s change to include blacklisting of the current version of Java due to the Trojan affecting even the current version of Java. See the info earlier in the posting.

New Metaspoit 0-Day IE7, IE8, IE9, WinXP, Vista, Windows 7

New Metasploit 0-day exploit for IE 7, 8 & 9 on Windows XP, Vista, and 7 – SecurityStreet/Rapid7

We have some Metasploit freshness for you today: A new zero-day exploit for Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk (source: StatCounter). We have added the zero-day exploit module to Metasploit to give the security community a way to test if their systems are vulnerable and to develop counter-measures.

Here’s the back story: Some of you may remember that a couple of weeks ago, the Metasploit exploit team released a blog regarding a new Java exploit (CVE-2012-4681), with a blog entry titled “Let’s Start the Week with a New Java 0day in Metasploit“. You’d think the 0-day attack from the same malicious group might cool down a little after that incident… well, you’d be wrong. …

BOLD and COLOR emphasis mine.

I am sure that they only tested IE7, IE8 and IE9 initially on this because those are the only IE browsers in use right now for Windows XP, Vista and Windows 7 and based on the w3Counter, the largest number of IE users at this time.

He also said that if he were to test IE10, he was certain it would fail the test as well.

One can only imagine how miserably IE6, as the highest level of IE that works on Win2K, would do. You would think that most people have moved onto newer versions of Windows, but some have not sadly despite the fact that Win2K hasn’t had an update since I think July 2010 and despite articles like this one from Ed Bott January 16, 2010. Don’t think it’s a big issue? Well according to the IE6Countdown website, IE6 still has an impressive 6% of Internet users worldwide as of August 2012.

Sure the USA’s piece of pie for IE6 is only 0.04% but I know a few of those folks and they are diehard users who refuse to leave a dead OS and browser due to economic issues, or sight issues, or both. Now, to their credit, some of these Win2K users do have a NAT hardware router, a software firewall, and they use Firefox and not IE6, but still, Win2K has not had any updates since July 2010! Not a wise move.

Personally,  I have NO addons allowed to work in IE8 in Windows XP by default on the Installations of Windows XP SP3 that I have still running, or IE9 on Windows 7.

I lock down my other browsers with no scripting type extensions like NoScript on Firefox, Chrome, etc. regardless of the operating system I am using (Windows, Mac, Linux), as well as Adblock Plus.

Another great little program for Windows that can help you keep a handle on what is happening on your Windows computer is BillP Studio’s WinPatrol Plus and FREE WinPatrol. I use it on my WinXP SP3 as an added protection since I have a laptop that can only run WinXP (SP3 of course), I use very intermittently for special use tasks such as setting up routers, or downloading music using Amazon Downloader, or sites that use OverDrive Media Console, etc. which won’t run on Linux on my laptop. This is when I am on the road using Library or Starbucks, or other public wifi hotspots due to our bandwidth limitations here at home on Verizon Wireless.

And I have found it to be wise to use a different browser (locked down of course as much as you can tolerate), rather than the ‘ubiquitous’ browser (IE in Windows, Safari on the Mac, or whatever the default browser is in a given GUI in Linux) in any given operating system.

One can not leave this to chance these days, IMHO.

 

EDIT: Added articles – one more about the exploit and the link to information on Microsoft’s workaround:

Update: Hackers exploit new IE zero-day vulnerability – Computerworld

Customers can use the Enhanced Mitigation Experience Toolkit (EMET) 3.0 to harden IE enough to ward off the current attacks, said Wee, of the company’s Trustworthy Computing Group, in an email late on Monday.EMET 3.0 can be downloaded from Microsoft’s websites.

Microsoft issues workaround for IE 0-day exploited in current attacks – net-security.org

Microsoft has reacted fast by issuing a security advisory yesterday, in which it confirms the existence of the flaw in Internet explorer 9 and all previous versions (IE10 is not affected), and offers instructions on steps the users can take to mitigate – but not yet remove – the threat:

  • Deploy the Enhanced Mitigation Experience Toolkit (EMET) and configure it for Internet Explorer
  • Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

These steps could bring additional problems to the users, such as being bombarded by a slew of security warnings, so until Microsoft releases a definitive patch for the hole, maybe it would be easier for IE users to take Rapid7’s advice and switch to another browser for the time being.

Again BOLD emphasis mine.