If at first you don't succeed; call it version 1.0
Saturday, 16 June 2007

The phishing hole in Internet Explorer 7 that I've disclosed 3 months ago was fixed by Microsoft's June security update.

The following was the vulnerable code in ieframe.dll resource file:

The patch changed the refresh javascript URL to call to a new clickRefresh() function, as follows:

The clickRefresh() function then validates that the address after the # sign is considered safe for navigation, before it replaces the location with this address.

Although this change closes the XSS vulnerability, I still don't understand why Microsoft consider local file access URLs (file://) as safe for navigation.. I hope this doesn't open another hole.

In other news, a new phishing hole in Safari for Windows was disclosed by Robert Swiecki in a Full Disclosure post. He also included a proof of concept which works on the new patched version (v3.0.1) of Safari.

My suggestion remains to wait for the final release before you consider using this "secured from day one" browser.


Saturday, 16 June 2007 22:05:50 UTC | Comments [0] | Security#
Thursday, 14 June 2007

Few hours ago, Apple released a new minor version (v3.0.1 Beta) of Safari for Windows.

From Apple's advisory:

CVE-ID: CVE-2007-3185 Available for: Windows XP or Vista Impact: Visiting a malicious website may lead to an unexpected application termination or arbitrary code execution Description: An out-of-bounds memory read issue in Safari 3 Public Beta for Windows may lead to an unexpected application termination or arbitrary code execution when visiting a malicious website. This issue does not affect Mac OS X systems.

I've tested the new version by running Hamachi again. Apparently, this version fixes the vulnerability.

This patch also fixes the command injection vulnerability that was found by Thor.

Apple decided not to credit any of the security researchers in their advisory, and I don't think this is a smart move.


Thursday, 14 June 2007 16:56:04 UTC | Comments [1] | Security#
Monday, 11 June 2007

Apple has just released a public beta of its Safari browser for Windows.

On the download page Apple write: "Apple engineers designed Safari to be secure from day one".


So, I've decided to take it for a test drive, and ran Hamachi. I wasn't surprised to get a nice crash few minutes later...

A first glance at the debugger showed me that this memory corruption might be exploitable. Although, I'll have to dig more to be sure of that.

Again, this is just a beta version.. But, don't you hate those pathetic claims?

[UPDATE]: David Maynor and Thor Larholm have found several more security vulnerabilities in Safari for Windows. I guess we can now call it "Day zero"...

Monday, 11 June 2007 21:19:46 UTC | Comments [2] | Security#
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.