PDA

View Full Version : Safari exploit gives hackers full control over iPhones and possibly PCs and Macs



kaidomac
07-23-2007, 10:58 AM
That's a little disconcerting (http://www.engadget.com/2007/07/23/safari-exploit-gives-hackers-full-control-of-your-iphone/) :Oops:

kaidomac
07-23-2007, 11:00 AM
Looks like they have a website, too! (http://www.securityevaluators.com/iphone/)

knightlie
07-23-2007, 11:40 AM
I've heard nothing about this affecting Macs and PCs. I'd be surprised if the same exploit affects all three like that.

daveinpoway
07-23-2007, 11:40 AM
For PC's, the solution would appear obvious- don't use Safari 3 right now (a good idea even if this exploit hadn't come up, since Beta software is risky). For the iPhone, Safari seems to be the only available browser, so no hope here except following the article's advice until Apple releases a patch.

In the case of your Mac, however, it would seem to be a smart move to use an alternative browser (at least until it is known whether the Mac version of Safari is vulnerable to this problem). I personally like Camino, which seems to be more stable than Safari, but there are several free browser options for OS X.

knightlie
07-23-2007, 11:48 AM
Or don't visit any dodgy websites recommended by strangers.

Alexis
07-23-2007, 12:33 PM
Chances are very small on Safari and there's no reason at all to stop using it. There are hundreds of similar things released for IE7 every week.

As for the phone - every handset is vulnerable. A friend of mine had his Nokia hacked in to and SMS abuse sent to everybody in his phonebook.

This is a typical scaremongering story as everyone wants to publish a newspiece about the iPhone crashing to its knees.

Sobe
07-23-2007, 02:05 PM
Or don't visit any dodgy websites recommended by strangers.


Chances are very small on Safari and there's no reason at all to stop using it. There are hundreds of similar things released for IE7 every week.

As for the phone - every handset is vulnerable. A friend of mine had his Nokia hacked in to and SMS abuse sent to everybody in his phonebook.

This is a typical scaremongering story as everyone wants to publish a newspiece about the iPhone crashing to its knees.


exactly

daveinpoway
07-23-2007, 03:19 PM
Evidence, please, that "chances are very small on Safari"- I mean hard evidence (from Apple or a reputable Internet security outfit that understands OS X and Safari), not a gut feeling type thing. I'm not trying to start an argument here, but it's important to base statements on facts. If you have a link to a place that backs up your statement, please post it so I can read the article myself.

For me, I gave up on Safari 2 a few months ago, since it would crash on me from time to time; Camino hardly ever does. I haven't tried Safari 3 yet, since I will not use Beta software (no matter which company it comes from) on my computer.

An added advantage of Camino (at least in my situation)- some of the forums I visit display topics I have already looked at in a different color. When I was using Safari, each day, the built-in OS X maintenance scripts would erase this info, so, the next day, there would be no record of what I had read (frustrating). With Camino, this info is preserved, no matter what OS X maintenance (daily, weekly, monthly) is performed- a big plus, in my opinion.

Zoolook
07-23-2007, 03:28 PM
Evidence, please, that "chances are very small on Safari"- I mean hard evidence (from Apple or a reputable Internet security outfit that understands OS X and Safari), not a gut feeling type thing. I'm not trying to start an argument here, but it's important to base statements on facts. If you have a link to a place that backs up your statement, please post it so I can read the article myself.



That'd be hard to do, considering this vulnerability is very new.

Fact is, as Apple moves from being a niche company to the mass market, particularly with iPhone, it's more likely to be targetted for attacks. No browser is 100% secure and none ever has been. It's not really fair to expect that any ever will be.

There has to be a certain amount of responsibility with the user. Even so, I think it is fair to say that for the average user, such an exploit using the above method is highly unlikely, given all the evidence (or lack of it) so far regarding any attacks taken place so far.

Alexis
07-23-2007, 06:26 PM
Evidence, please, that "chances are very small on Safari"- I mean hard evidence (from Apple or a reputable Internet security outfit that understands OS X and Safari), not a gut feeling type thing.

It's more an evidence of numbers - tens to hundreds of potentially serious exploits on IE7, compared with a single one on Safari (which hasn't even been proven on Macs and that Apple are aware of anywhere). Add to the fact there are very vague details on this and the alternative to not using Safari would be to either stop browsing the internet or use another browser, all of which are just as, or more, vulnerable than Safari.

And as for the phone issue, most handsets are vulnerable to attack via Bluetooth etc, anyway, so again, you can either not use a mobile phone or use another handset which is just as, or more, vulnerable.

fleurya
07-23-2007, 11:39 PM
Evidence, please, that "chances are very small on Safari"- I mean hard evidence

well, it does do that weird long pause and then kick back to the home screen. But the sudden Safari close problem on the iPhone has been an issue since day 1.


Or don't visit any dodgy websites recommended by strangers.

This and avoiding dodgy emails coming from strangers, or even people I know, kept my PC virus-free for many years before my MBP.

knightlie
07-24-2007, 03:05 AM
Evidence, please, that "chances are very small on Safari"- I mean hard evidence (from Apple or a reputable Internet security outfit that understands OS X and Safari), not a gut feeling type thing. I'm not trying to start an argument here, but it's important to base statements on facts. If you have a link to a place that backs up your statement, please post it so I can read the article myself.

You also need to provide evidence that the chances are anything but very small. The existence alone of an exploit provides absolutely no indication of how widespread it's likely to become. Given that the exploit needs to be posted on "rogue Websites" in order to work, I'd say that alone reduces the chances considerably, because most sensible people won't visit sites like that, particularly if they know their iPhone is vulnerable.

knightlie
07-24-2007, 03:06 AM
This and avoiding dodgy emails coming from strangers, or even people I know, kept my PC virus-free for many years before my MBP.

Exactly. I rarely use a virus checker on Windows, and I've never got a virus in 20 years.

knightlie
07-24-2007, 07:50 AM
The report appears to state that the exploit affects the mobile version of Safari, according to AppleInsider, so the OSX and Windows versions are unlikely to be affected. Also, the obtaining of passwords and making phone calls is described as "worst case," so once again we see security reports blown out of proportion with theoretical leaps instead of hard facts.

Verted
07-24-2007, 08:45 AM
Please excuse my lack of security knowledge, but how does this vulnerability work? I dont understand how an attacker would initially target an iPhone. The video said that the user would think that they're opening the new york times, but is actually loading a script written by the attacker, but how would they initially have control of the iPhone?
It doesnt really affect me because I use Mozilla Firefox but I'm still interested.

knightlie
07-24-2007, 09:37 AM
They'd have to get you to visit a specially-crafted web page, or connect to a doctored wi-fi hotspot. The New York Times is probably a bad example (more scaremongering), because as long as you visit the REAL New York Times website they can't send you the exploit. However, an email with a link to a fake NY Times website could be used.

And if you're using anything other than Safari on an iPhone then you're likely to be perfectly safe anyway, or at least as safe as usual. This is iPhone-specific.

daveinpoway
07-24-2007, 10:54 AM
This article here: http://news.yahoo.com/s/ap/20070723/ap_on_hi_te/iphone_hack;_ylt=Aj.2GbuKTsgItTJ3MANn0cvMWM0F indicates that the Apple computer version of Safari is vulnerable, but not the Windows version. It will probably take a few days (perhaps a week) for everything to get sorted out regarding what can and cannot be attacked.

As far as other browsers being just as insecure as Safari, that might well be true, but it just seems logical to avoid Mac applications that are shared with the iPhone, if possible, since the iPhone seems to be attracting so much hacker attention at this time. Given that other browsers work as well as (in some cases, even better than) Safari, I see no reason to marry oneself to this browser. Obviously, this is only my opinion, and those who don't wish to change have every right to keep using Safari.