28. July 2010 · Comments Off on Apple fixes Safari auto-fill vulnerability · Categories: Vulnerabilities · Tags: ,

It looks like Apple was working on a fix for the Safari auto-fill vulnerability after all. According to MacRumors, “As noted in the security documentation accompanying today’s release, Safari 5.0.1 and 4.1.1 address an AutoFill security flaw disclosed last week that could allow a malicious site to obtain a user’s Address Book information, including name, company affiliation, city/state/country, and email address.”

22. July 2010 · Comments Off on Safari privacy vulnerability – Apple unresponsive · Categories: Security-Compliance, Vulnerabilities · Tags: , ,

Jeremiah Grossman posted information on a very serious Safari privacy vulnerability which Apple has not yet patched. Here is a the lead paragraph of Jeremiah’s post:

Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.

Jeremiah says he notified Apple on June 17th. Other than what appears to be an automated email reply, there has been no response. Since Apple had not responded in a meaningful way, Jeremiah decided to go public, as the 83+ million Safari v4 and v5 users have a right to know so they can change the Autofill configuration to protect themselves.


06. December 2009 · Comments Off on Clientless SSL VPN design officially acknowledged as a vulnerability · Categories: Application Security, Secure Browsing, Vendor Liability · Tags: , , ,

On November 30, 2009, the US-CERT classified the design of the popular Clientless SSL VPN class of products as a vulnerability – US-CERT Vulnerability Note VU#261869. In other words, the method by which Clientless SSL VPNs work creates a vulnerability for which there is no direct fix. The issue is that Clientless SSL VPNs, by design, subvert the "same origin policy" of web browser programming languages. The policy is described here and here.

This is by no means the first time this vulnerability has been written about – see Michal Zalewski's article of June 6, 2006, which provides a lucid attack example. Cisco acknowledged MZ's references to Cisco's SSL VPN here.

All software products contain security flaws. Most of them are implementation bugs that are more or less straightforwardly fixed in a patch or a new release. Occasionally a vulnerability is the result of a design flaw. However, this is the first time that I am aware of when a security product class is architecturally flawed at it's design level.

22. November 2009 · Comments Off on Microsoft IE8 XSS prevention feature enables XSS attacks · Categories: Application Security · Tags: , , , , ,

Dan Goodin at The Register reports that Microsoft's IE 8's Cross Site Scripting prevention feature can be used to create an XSS attack.

IE8 attempts to block XSS attacks by modifying the response, i.e. the content of the web page generated by the web server coming to the browser in response to a request. The NoScript Firefox add-on, takes the opposite approach by modifying the content of the request from the browser to the web server. Here is more information. It appears that this vulnerability is not easily fixed because it's a design flaw rather than a coding flaw.

BTW, NoScript is the second most popular Firefox Privacy & Security add-on.