Apple Safari 5 Security Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 06/08/2010 6:13:01 PM PDT by Swordmaker
Free at last.
Apple Safari has become the first major browser to be purged of one of the web's longest-running privacy defects: The ability for any site owner to effortlessly steal a complete copy of your recent browsing history.
The browser history disclosure leak is as old as the World Wide Web itself, and it afflicted every major browser – until now. Starting with versions released Monday, Safari no longer coughs up the list of websites a user has visited. The change is one of almost 50 security fixes Apple engineers added to versions 4.1 and 5.0 of the browser.
In characteristic Apple fashion, the company buried news of the change at the bottom of this page. We pointed the new Safari version at sites here and here, which exploit the weakness, and neither worked. The attacks succeeded just fine against Google Chrome and Firefox, and one of them succeeded even when Firefox was running the NoScript add-on.
According to the results of more than 271,000 visits captured in a recent study, the vast majority of people browsing the web are vulnerable to attacks that expose detailed information about their viewing habits, including news articles they've read and the Zip Codes they've entered into online forms. Surprisingly, the proportion was even higher for those using Safari and Chrome and among browsers that turned off JavaScript.
The history leak is the result of the same CSS, or cascading style sheet, technology that causes a browser to display links that have been visited in a different color than addresses that have not been visited. It also allows webmasters to customize content and user interfaces on their sites based on the links individual users regularly visit. Browser makers have long been aware that it can reveal potentially sensitive websites users visit, but have been reluctant to patch the hole for fear it will remove functionality people have come to depend on.
In April, Mozilla said it planned to fix the browser history leakage in an upcoming version of Firefox. While recent beta versions of the browser have the feature turned on, the latest production version remains wide open. Chrome and Internet Explorer are also vulnerable.
Because Safari is based on the same code base as Chrome, it wouldn't be surprising to see the latter browser fixed soon too. That will leave IE as the only major browser with no stated plans to fix the weakness. Microsoft has so far been tight-lipped about its plans, offering only half-baked work-arounds and the warning that browser fixes could break websites.
The history fix is by no means the only security improvement added to the latest version of Safari. The browser now ships with a filter designed to prevent XSS, or cross-site scripting, attacks from working. Microsoft introduced a similar feature to IE 8 and Firefox with NoScript achieves the same result. But as reported by the 0x0Lab Blog, Safari's implementation is easily bypassed. ®
If you want on or off the Mac Ping List, Freepmail me.
Can it be done with GoDaddy's "Website Tonight"? How do I do it? Its not really "stealing" is it?
Now that is newsworthy, Swordmaker, and thanks for the
!
And why doesn’t Firefox do the same???
Just installed Safari 5 last night and I love it. It is faster loading than my other browsers and speed is important.
From the article: “In April, Mozilla said it planned to fix the browser history leakage in an upcoming version of Firefox.”
The Firefox team will fix this eventually. I would think fairly soon now that Safari has fixed it. But writing software is a complex task, and programming teams have to set priorities. This bug will work itself to the top of the list at some point.
Thanks BullDog108. Saw that, but hope it is sooner rather than later...
Appreciate the response and this should be on the top of the Firefox list — since it is “consumer first” issue.
I loaded Safari 5 last night and have been using it almost exclusively .
I like it. Just wish they would expand the font size selection.
I loaded Safari 5 last night and have been using it almost exclusively .
I like it.
Just wish they would expand the font size selection.
Going from Times New Roman 18 to 24 is too big of a jump.
I've installed it on my MacBook Pro and my Dell PC. Seems to be impressive in speed. I had been using Chrome, but now intend to go to Safari 5.
I tried Safari 5 today. Whoa, that thing is fast. And the Reader!! If you’re trying to read an article on some site festooned with ads and junk, and with the article spread over several pages to boost the site’s hit-count, just click the “Reader” button that pops up next to the URL. And: up slides a page with just the text and links— no ads! And the whole article will be there, automatically stitched-together instead of requiring you to click link after link to get the whole article. Really useful.
It’s free for Windows and Mac: http://www.apple.com/safari/whats-new.html
Thanks for the news.
I installed Safari 5 last night, and have run into a strange problem today.
When I follow a link from FR to any other publication, I can no longer use either the red button or the black < to return to FR. Also, History will take me back to the same thread on FR, but won’t let me finish reading that thread and push < to continue on that page. It’s been driving me nuts all day because I keep losing where I was.
Anyone using either the update or 5 yet? Any problems? I usually wait to see what happens to others befoe downloading.
Thank God they have stopped the leak. Ever since I visited that porn site good looking women have been knocking on my door. Maybe now I can get some sleep!
I might be misunderstanding the problem, but you can select 'Preferences' under the 'Safari' menu item, then click the 'Appearance' tab. This shows the standard font used on web pages (unless pages set their own font, which many do via CSS). You can then change the default to a font and size of your choice.
Another option which you might find useful is to use the 'zoom in' and 'zoom out' functions under the 'View' menu to scale up or scale down a web page. To make this more convenient, you can add the 'zoom' icons to the toolbar by going to 'customize toolbar' under the 'view' menu.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.