- Bare Bones Software
- Readers Like You!
- Web Crossing
- Microsoft
- VMware
- Mark/Space, Inc.
- Fetch Softworks
Most Popular Articles
- How to Protect Yourself from the New Mac OS X Trojans (25 Jun 2008)
- iPhone 3G GPS Details, Power Adapter, and Industrial Design (10 Jun 2008)
- Firefox 3 Bounds Forward (22 Jun 2008)
- iPhone 3G Actually $160 More Expensive (11 Jun 2008)
Recent TidBITS Talk Discussions
- 802.11g-n mixed network question (2 messages)
- New Mac threats? (5 messages)
- The Hole in My Backup Plan (19 messages)
- Firefox feature sought (19 messages)
Shopping for a new digital camera? In "Take Control of Buying a Digital Camera," pro photographer Larry Chen helps you pick out the right camera and accessories for your needs and budget. This book is loaded with tips on using your camera, pointers to the best review sites, and more!
Published in TidBITS 884. Subscribe today to receive TidBITS in email every Monday.
- Apple Announces iPhone Changes
- Macworld's State of the Mac Reliability Survey
- DealBITS Winner: Tom Bihn Laptop Briefcase, Case, and Strap
- VM2Go Manages Parallels Virtual Machines
- Loki Here
- Visions of the Sublime and the Inane
- 1Passwd Eases Password Pain
- Take Control News/18-Jun-07
- Hot Topics in TidBITS Talk/18-Jun-07
| Apple Updates Windows Safari Beta with Security Fixes
Within three days of Apple's release of the Safari Web browser for Windows XP and Vista in beta testing versions, several significant security flaws were discovered, some of which were reported to Apple. The company responded quickly, issuing a bug fix release last week for three potential problems that involved specially crafted content at malicious Web sites that must be visited to trigger the vulnerabilities.
The bugs were discovered - at least in the descriptions provided by the coders who found them - through the use of fuzzing, a technique that throws piles of crud at targeted areas of a system or application to see what breaks. Fuzzing is a brute force method, but it has to be paired with more refined technical knowledge to understand how to take advantage of a flaw.
A non-programmer could potentially use fuzzing to figure out how to crash a piece of software or even an operating system, but they used to have a harder time making use of that crash to tailor an attack that would allow them some sort of access. Programs like Metasploit provide a bridge between fuzzing and exploitation, however, and as they become increasingly powerful, "script kiddies" - relatively unsophisticated users who use prefabricated attacks - may have more disruptive power.
It's disturbing that Apple isn't stress-testing its public beta software with the same kind of readily available tools for fuzzing used by both researchers and the nefarious. Many of the Month of Apple Bugs flaws (see "MoAB Is My Washpot," 2007-02-19), as well as many recent AirPort and AirPort Extreme problems, were discovered through fuzzing.
Apple's security update notice, which I cannot find archived online, notes, "This beta software is for trial purposes and intended to gather feedback prior to a full release." That is, "Bite us: This is beta software." The flip side, of course, is when Steve Jobs says, hey, go download the beta, it's hard to argue that serious security flaws aren't just as serious as they are in released software.
Apple also said, "As with all our products, we encourage security researchers to report issues to product-security@apple.com." No researchers were credited for the three fixed bugs.
Bare Bones Software's BBEdit 8.7 -- Latest version offers amajor interface overhaul, new prefs, text clippings, improved
JavaScript, new Ruby/SQL/YAML/Markdown support, code folding.
Over 160 new features in all! <http://www.barebones.com/>.