MacDailyNews - Where Mac news comes first

Hey! I only carried one virus. Don't compare me to MS, with their 120,000+ viruses!

May 31, 08 - 02:12 pm Comment from: Harvey

It's interesting that they don't say, "We have advised Apple about this problem," it says, in too many words, "Microsoft will take.. measures... this may include a service pack, the monthly update, or a security update." They have exonerated Apple.

It's very clear that this is a WIndows problem that Safari exposes, not a Safari problem. In fact, it is so clearly a Windows problem that Microsoft can't deny it.

I don' remember Microsoft ever recomending users not to use IE on the Windows platform. That is weird considering that that IE has been the less secure browser since its inception...

Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.

Suggested Action: Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.

Um…isn't the obvious course of action to change the location where Safari downloads content from the default?

May 31, 08 - 02:22 pm Comment from: BiZarRo BaLlmEr

Another opportunity for Safari to get installed on some more PC's.

If you don't have Safari will you get the notification anyways for "new software available" when the update is released?

read: "we are rather unhappy about Safari's growing market share"!

May 31, 08 - 02:26 pm Comment from: iDon't

Micro$oft is a virus!!!

"read: "we are rather unhappy about Safari's growing market share"!"

Couldn't agree more. Safari now has a .21% Market share on Windows. I betcha Ballmar is throwing chairs. Microsoft is SCARED!!!! This is HUGE!!!!!!!!!!!!!!

How DESPERATE M$ is.

'This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update....'

Yeah, you know the service pack named Windows 7..... but until such time we'll just get you to stop using that pesky browser.

What if Apple stymies their stymie and just brings out Safari 3.1.2 for Windows that just plain refuses to download to the Desktop - or at least warns the hapless user that they are a fsking twat for attempting to do so?

+++




BUT remember Apple sucks at security patches as in the 3 iCal security patches that Core Security was working with Apple for 7 months on getting patched and Apple just kept giving excuses to fix. Apple just plain and simple SUCKs at fixing security patches. They could fix these problems in a week if they wanted.

Some penetration testers podcasters have commented on how BAD Apple is at fixing vulnerabilities. Take that what 20 Billion in the bank and hire 4 people that find vulnerabilities. and fix them ASAP




+++




+++

May 31, 08 - 02:40 pm Comment from: Harvey

Okay, here begins the hue and cry, and if I had a castle, the villagers would be on the way with pitchforks and torches:

Microsoft isn't really evil. They think they are still a small company and behave like it. They also forget from time to time that there is an outside world, and they get scared when they suddenly realize there is one.

Case in point on forgetting their is an outside world: If you try to connect to a VPN and fail, Vista has a troubleshooter, which of course can't find the problem. At the end it recommends that you check to see if the computer is on. Now that makes no sense whatsoever to someone in Chicago trying to connect to their company's VPN in New York, but it does make sense if you are on the Microsoft campus and the other computer is in the next room and you can walk over and check.

Microsoft also does not understand why they are in the fix they are in. The monopoly stuff scared them witless. They started a partner program to make friends with their adversaries, and lost their focus on users, and with the second half of that begins their downfall. Their products are designed for salesmen and developers, not users.

May 31, 08 - 02:41 pm Comment from: ken1w

What the hell is a "blended" threat? It must mean that the vulnerability involves Safari, but it's Microsoft's fault.

Yes, I agree, Apple thinks they don't have to fix these vulnerabilities. I hope they get majorly hacked and then they will learn to fix their shit FAST!

When has Microsoft EVER focused on users???? They've always been focused on IT. Users don't count at Microsoft, and they never have.

May 31, 08 - 02:56 pm Comment from: geezer

see also
<http://blogs.zdnet.com/security/?p=1230>

Oh yeah, Apple is so lax on security and putting out fixes that systems running Mac OS X are being hacked at will on a daily basis. Oh wait, they aren't? Umm, uh, well....

Security issues aside, because a problem should always be fixed, but when was the last time Microsoft advised their users to stop using IE altogether when there was a problem? Oh right, that would mean not using it ever.

Yeah, no...

I use Firefox and Safari primarily on my XP and Vista virtualizations. I only use IE7 when updating is needed. Firefox is just faster, and Safari has greater font rendering ability. Pics look better too!

@Steve...

Funny, I have never had a security issue with OS X, iCal, Safari, etc...

In case anyone is interested in the facts behind this ...

It's basically the Safari "carpet bomb" flaw (which isn't really a flaw), in combination with the IE habit of executing any code handed to it on Windows.

Safari automatically downloads stuff to the desktop from a site without asking your permission, because Apple feels that if you went to that site on purpose then the download is what you want. The stuff downloaded can't affect a mac computer anyway so all it can ever be for a mac user is a minor annoyance that can be stopped by going to a different site or turning off the browser. Also on a Mac, any code or files downloaded form a website have to be authorised before they will run, whereas on Windows, they just run.

On Windows this can be used to execute random code due to the IE flaws. So it's really a MS, Windows-based problem in the long run.

quote - Microsoft will take the appropriate measures to protect our customers. - /quote

Now that's funny.

D

This is like Typhoid Mary advising on food safety.

Or the village slut lecturing on STD's.

Then again if anyone knows about handling security crises, it's MS.

May 31, 08 - 04:13 pm Comment from: TheConfuzed1

To be fair, Microsoft is right. You really shouldn't be using Safari on Windows. In the spirit of full disclosure however, they should advise their users not to use anything with Windows.

May 31, 08 - 04:43 pm Comment from: jupiter

Typhoid Mary said: "Hey! I only carried one virus. Don't compare me to MS, with their 120,000+ viruses!"

I believe it would be a bacterium: Salmonella enterica serovar Typhi. But maybe you had a virus too.

May 31, 08 - 04:50 pm Comment from: HMCIV

Microsoft advises Windows users to restrict use of Apple’s Safari web browser

That's a headline? Really??? In other news, GM advised drivers to restrict their use of Hondas and Catholic priests urge followers to restrict their use of Presbyterians!



(Um...I didn't mean it in that way.)

May 31, 08 - 05:14 pm Comment from: alansky

Apple should include a warning with the download:

ALERT: May be habit-forming. Using this product may lead to restricted use of Internet Explorer for Windows.

@jupiter,
I love it when gas giants get technical.

Workaround: don't use XP

Why in the world doesnt microsoft advise its users to simply not use windows anymore??

really... not trying to be funny...

Microsoft just doesn't want to lost more people to apple, which is going to happen regardless

Lose more people to apple is what it should say

May 31, 08 - 07:38 pm Comment from: Mr. Reeee

The Spinning FUDmeisters are at it again!

Of course MS doesn't want their users see what a modern, web standards compliant browser looks like, works like and feels like. It would illuminate the lie that Internet Expolrer is and has been for years.

May 31, 08 - 07:51 pm Comment from: Mr. Reeee

Harvey…

The only "user focus" Microsoft has EVER had is how to most effectively empty the users' pockets.

May 31, 08 - 08:01 pm Comment from: derekcurrie

Now, if only Apple would provide users of Microsoft Office a similar advisory regarding macro viruses. Tsk tsk Apple.

;-D

May 31, 08 - 08:06 pm Comment from: derekcurrie

Dumb IT Guy sez:
"Oh yeah, Apple is so lax on security and putting out fixes that systems running Mac OS X are being hacked at will on a daily basis. Oh wait, they aren't? Umm, uh, well...."

Just to remind folks of what is probably Bill Gate's most senile comment of all time, thus far:

"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine."
-- Bill Gates talking to NewsWeek magazine January 2007

Would you buy a window from this guy? How about Windows?

"Suggested Action: Restrict use of Safari as a web browser until an appropriate update is available from Microsoft"... which will be never.

Those sly foxes at M$... they weren't born yesterday.

May 31, 08 - 10:03 pm Comment from: Ampar

"Microsoft advises Windows users to restrict use of Apple’s Safari web browser"

WWDC is a few days away. FUD timing is everything.
Expect more. MUCH more.

May 31, 08 - 11:54 pm Comment from: ElderNorm

@harvey,
Microsoft is not some nice little company that has lost its way. Its a huge powerful company that has ALWAYS focused on MONEY first. period. How can we get the money from the customer.???

After all, Vista was done for your own good. We check your computer for unlicensed software for your own good. We force DRM on you........ for your own good.

And do not forget:

"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine."
-- Bill Gates talking to NewsWeek magazine January 2007

Words from a man who has totally lost all clue as to reality.

Just a thought.

en

Sounds like a preemptive strike - make win-users of Safari unsure of its safety and woo them back to Explorers "safe" environment

Jun 01, 08 - 01:26 am Comment from: derekcurrie

Mymac43ever sez:
"Sounds like a preemptive strike - make win-users of Safari unsure of its safety and woo them back to Explorers "safe" environment"

Gates has always gone by the old rule of WC Fields: 'There's a sucker born every minute.' Once he found IBM, of all companies, were incredible suckers, he figured he could con-job just about anyone. Well, he was 90% right.

Meanwhile, anyone with half a brain using Windows knows that the very best way to catch malware off the Internet is to use M$ Internet Explorer. Version 7 has been a horror. I know many people who refuse to update to it, despite all the nagging from M$ via its updaters. M$ announced they are working on Version 8 ASAP just to calm people down.

Haha...

If IE opened up a vulnerability in OS X, you'd be so quick to say: Well, IE sucks... it's not Apple's fault... it's crappy IE software.

The opposite happens... seriously, there are so many hypocrites here. It may come as a surprise to some of you, but Microsoft isn't as "scared" of Apple as you'd like to believe... and one of the reasons that people stick with Microsoft is their policies are, actually, less autocratic and restrictive than Apple's. Many people, even Apple developers, despise how Apple feels the need to have its finger in everything.

Apple in its current state will always appeal to a niche market. That niche market likes it that way. If Apple was really on top, there would be no enemy.

When it comes down to it, all technology is more of the same crap. All these squabbles are about the technology used are nothing but "My dad can beat up your dad" arguments.

In the real world, people use what works and is cost-effective. It needn't necessarily be fancy or pretty, it doesn't need to be high-end. There are a plethora of different tools that are needed for a plethora of different applications... Apple CAN NOT come near to filling even 1% of those needs.

Apple is able to dictate its needs to people because they make a desirable product which works well in doing what it does.

Seriously, people, I'm writing this on an iMac but I'm not so blind as to worship Apple and think they're infallible... some of you really need to get a religion or something, because your worship of the Cult of Apple isn't much different.

@Reality Check: This particular story cannot be reversed. The bug is not in Safari. Safari is exposing a weakness in how Windows (all versions, all patches) and IE deal with executable files. Mac OS X does not have a comparable weakness for your hypothetical IE7 for Mac to expose. In this case we are not blind hypocrites. Not to say Apple couldn't and shouldn't address this issue, but it is trivially simple for individual users to seal the hole and avoid exposing the Windows/IE weakness: change the default download folder under Edit:Preferences.

I've been reading about this on a few other sites as well. The hysteria is pathetic. Apple cannot program anything correctly. Safari will destroy your whole machine. The only solution is to purge Safari from your computer. Complete and utter crap.

Change the default download folder under Edit:Preferences. Problem solved. How many times does it need to be said?

It seems either people are deeply, deeply stupid, or people are deeply, deeply dishonest. Either is depressing.

... 1rst april il past? Isn't it?
M$ minds for security security? Well, well...!

@Passerby

It was clear that Microsoft Office for macs had major security issues with entourage. But did Apple come out blaming Microsoft... no.....

This is just an attempt by Microsoft to discredit Apple... and more importantly the iPhone

Jun 01, 08 - 07:41 am Comment from: Ampar

Incredibly idiotic post from Reality Check. Let's imagine he was never here. Blind hypocrites do have advantages.

Jun 01, 08 - 08:48 am Comment from: chaz

@steve

I absolutely agree. If Apple is to be the computer of choice for the consumers, then they better have a very robust virus search and destroy team. Let's face it consumers, small business, etc. don't have IT depts to rely on. We're relying solely on Apple, and they better be up to the task or risk losing the gains they have made.

Chazzz

Jun 01, 08 - 08:56 am Comment from: chaz

@applepi

You're a little bit over the top, I'd say they do meet more than 1%. But I have to admit, Jobs does keep Apple focused, maybe too focused.

I really admire the job the CEO of Ford is doing. I've been watching closely, and actually made a big bet on Ford stock long before Krekorian. However, I am disappointed that Ford went to M$ to develop SYNC, its very desirable system for iPods, iPhones, etal. I've seen no discussion in the press if Ford went to Apple, but it seems with Apple's great ability to design user interfaces, Ford would have gone to Apple first. If they did and were rebuffed, then too bad for Apple, cause everyone's going to need this technology going forward, or something like it.

What makes you think Apple doesn't have the best anti virus team in the world? After nearly eight years, there are STILL no OS X viruses in the wild. Do you think that's just luck?

You admire the CEO of Ford? The same one who couldn't see that the days of SUVs were limited? We've known since 1973 that we needed to produce fuel efficient (and NO, 30mpg is NOT efficient) vehicles, yet Ford has led the charge to 5,000+ lb behemoths with 8-cylinder fuel gobbling engines. Now the company is paying the price, yet you admire this guy?

I suppose you want to blame Ford's problems on the workers. You must admire how he's shipping worker jobs off to cheap labor markets so they can remain profitable without having to produce efficient, quality products.

I don't consider this a bad problem -- and it should go without saying that it is less serious than at least one of the other issues Mr. Dhanjani has reported to Apple and that they have, properly, promised to deal with. See here:

http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html

Nevertheless, it most certainly is undesirable behaviour. That a browser should download resources automatically, and that it isn't possible to switch that off, even if the less sensible behaviour is the default, is ... well, it's somewhat breathtaking. And the reply from Apple, quoted by Dhanjani, comes across as insouciant.

Altogether Apple are far too insouciant when it comes to security. And Mac users should be calling for the company to get more serious on security not pretending all is well when it's not. The MoAB affair ought to have been a wake-up call to the emotionally immature who, apparently, must needs do that, and who are, unfortunately, all too numerous among Mac users (or at least among vocal Mac users). But, of course, it was a wake-up call all too many failed to hear. Apple's relatively slow times to patch, and, particularly, its unfortunate habit of not rolling in patches in open-source modules in a timely manner should, again, give people pause for thought. These, and a number of other matters, should give Mac users pause for thought or even -- can one hope for such a thing? -- pause for breath.

But some people, like the Bourbons, are unteachable.

I like Apple's gear very much, but Apple's not my damn girlfriend. I'm not so besotted with the company, that I'll make excuses for it when it doesn't do or say the right things.

From the point of view of security -- let alone anything else -- I'd still advise anyone to buy a Mac (or a Linux machine). One could point out, for example, that ActiveX is a far more pressing danger to Windows users than this issue, and running ActiveX is something Microsoft's browser does by design.

But such comparisons are not really to the point. Apple ought to be taking security far more seriously than it seems to be doing. And, in this particular case, Apple's reply to Mr. Dhanjani was damn stupid:

...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.

And one thing Apple has now succeeded is doing is handing a propaganda coup to the beast of Redmond.

Nice work, guys.