Browser flaws expose users to man-in-the-middle attacks
Summary: Security researchers at Microsoft have found a way to break the end-to-end security guarantees of HTTPS without breaking any cryptographic scheme.During a research project (.
Security researchers at Microsoft have found a way to break the end-to-end security guarantees of HTTPS without breaking any cryptographic scheme.
During a research project (.pdf) concluded earlier this year, the Microsoft Research team discovered a set of vulnerabilities exploitable by a malicious proxy targeting browsers' rendering modules above the HTTP/HTTPS layer.
Here's the gist of the problem, as explained by the research team:
[In] many realistic network environments where attackers can sniff the browser traffic, they can steal sensitive data from an HTTPS server, fake an HTTPS page and impersonate an authenticated user to access an HTTPS server. These vulnerabilities reflect the neglects in the design of modern browsers -- they affect all major browsers and a large number of websites.
According to a SecurityFocus advisory, attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how sites are rendered to the user. Other attacks are also possible.
Affected browsers include Microsoft's Internet Explorer 8, Mozilla Firefox, Google Chrome, Apple Safari and Opera.
Originally, it was believed that this issue only affected Mozilla's browsers but the advisory was update to reflect that the issue affects multiple browsers, not just Mozilla products.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Apple Safari
So maybe it was just a oversite that Apple Safari was on the list since Apple is perfect and nobody can mess with them
Apples not bulletproof, anyhow
Had a problem installing HP fax printer.
So while in the applications folder, in this "bulletproof" Macbook Pro is is only software authorized by the Mac gods themselves stands Mcafee.
Anecdotal evidence
For what it's worth, I've never seen any A/V product in a clean OS X install - not even a trial version.
That is not to say that
(a) it's possible - Apple do install some 3rd party software in some bundles
(b) so do third party resellers
(c) Macs are inherently problem free
(d) that Macs cannot pass on Windows viruses via re-transmitting Windows documents
But your logic and reasoning is faulty.
That was a strawman
secure than Windows.
Hackers have tried through the years and the best they could do was to
use trojans, i.e. fool the user into installing the malware. Much worse is
of course the situation for Microsoft and all their customers who can visit
a website or simply get on-line and immediately get infected. Practically
zero security.
@Mikael_z
Apple has had carpet bombing attacks that automatically download. It's preposterous to keep asking how many of these occur in the wild. Let me ask, how would you know if you got a virus on your MAC?
It get's really tired when Apple advocates claim that a person has to be a moron to get a virus on a MAC by downloading something, but doesn't think about the fact that the same is the case in both Linux and Windows. Anytime someone downloads and executes a malware file on any platform, a virus can be executed.
Media Access Control?
ethernet. It is NOT a computer.
Second, it would take more than a moron to get a mac virus. There ARE
NO OSX viruses. Period. Do you even know the difference between a virus
and a trojan, or a worm? Again, there are no OSX viruses, either in the
wild, OR in the lab.
"Anytime someone downloads and executes a malware file on any
platform, a virus can be executed."
Yeah, may want to lookup that definition again.
Virus Shmirus
Also, the term MAC in this context refers to a computer... manufactured by a company named Apple (which is a brand name, not a fruit) and is clearly understood by all. Your jumping in with this semantic - based argument is just silly.
So, yeah, MACs are computers, and they get viruses, even with OSX... You silly dipstick (which is a device used for measuring liquid quantity in a container such as an oil sump or fuel tank).
Proper definition
~
http://www.answers.com/topic/computer-bug
[b](computer) bug[/b]
A problem that causes a program to produce invalid output or to crash (lock up). The problem is either insufficient logic or erroneous logic. For example, a program can crash if there are not enough validity checks performed on the input or on the calculations themselves, and the computer attempts to divide by zero. Bad instruction logic misdirects the computer to a place in the program where an instruction does not exist, and it crashes.
A program with bad logic may produce bad output without crashing, which is the reason extensive testing is required. For example, if the program is supposed to add an amount, but subtracts it instead, bad output results, although the computer keeps running. See abend, bug and buggy.
A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's source code or its design, and a few are caused by compilers producing incorrect code. A program that contains a large number of bugs, and/or bugs that seriously interfere with its functionality, is said to be buggy. Reports detailing bugs in a program are commonly known as bug reports, fault reports, problem reports, trouble reports, change requests, and so forth.
http://www.answers.com/topic/computer-virus
[b]computer virus[/b]
A computer program that is designed to replicate itself by copying itself into the other programs stored in a computer. It may be benign or have a negative effect, such as causing a program to operate incorrectly or corrupting a computer's memory.
A program that enters a computer (usually without the knowledge of the operator). Some viruses are mild, and only cause messages to appear on the screen, but others are destructive and can wipe out the computer's memory or even cause more severe damage. Computer viruses spread from machine to machine on disks and through telephone lines.
~
Try to get it right, will ya....
Nope on all counts
computers, as already pointed out.
Also, again, pay attention, THERE ARE NO OSX VIRUSES. Period.
And many people find this an important distinction.
As for macs picking up malware, ANY general purpose computational
device can have "malware," since all that means is software written to
do bad things. Since good and bad are entirely relative, any computer
can run "bad things"
rm *.* is sometimes exactly what you want. (Not too often though.)
No Mac Viruses (Cough)
Do you even bother to read before you post?!?
viruses, why would you post an example of a trojan to refute my point
about viruses?!?
Again, there are no OSX viruses.
And see a doctor for that cough. It's irritating.
You may want to do some research
http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html
And what is "Sophos"?
~
Seems like you have to go through a lot before opening OSX/Oomp-A
http://www.ambrosiasw.com/forums/index.php?showtopic=102379
You can't just click on it and watch an .exe happen like you can with the thousands of pieces of Windoze malware out there...
Oh lord, Leap-A? Really?!?
Not only was Leap-A NOT a virus, it even SAID so in the headline of
the article YOU linked to!!!
"OSX/Leap-A worm spreads via iChat instant messaging software"
That said, they are completely incorrect categorizing worms as a
subclass of viruses. They will be hard pressed finding any security
researcher who categorizes them as such.
Also, Leap-A didn't even do anything, nor could it. It was not capable
of privilege escalation, so as such was impotent.
There's a reason why Macs are 'more secure'
Malware makers just don't think Macs are widely used enough. That is why they don't see it necessary to develop many malwares for Macs. Their time is valuable, you know?
But as more and more upper management people use Macs, more and more malware makers will target Macs. Then... whammo! A super-uber-malware will start infecting Macs around the world, and the Mac people will have no idea how to fix it.
You don't actually think that was even remotely insightful, do you?!?
it has gotten annoying.
It is equally annoying, considering how old the argument is, that
people like you post it like it is some great revelation, expecting
people to say, "Wow, you know, I never thought of that before."
Please, you are not in any way an original thinker, and everyone has
heard it before.
But to the specifics. First, you can attack that silly argument from
the underside. If that statement were true, one would be hard pressed
to explain the existence of a number of viruses for such platforms as
the Atari ST, the macOSes 7-9, and even the Coleco ADAM. Surely you
are not claiming they ever had significant market share!
One can also attack it directly from the top. Mac market share has
tripled in the past two years. From your postulate, one would conclude
that malware, especially viruses (of which there are still ZERO) should
have increased. But this has not happened. Or are you claiming some
magical threshold level, after which this torrent of malware will
suddenly strike. If so, you will be hard pressed to explain the even
larger lack of data to support this position.
In addition, the MAJORITY of malware code is still adapted from
exploits written in research settings. The financial motive is just not
the same in this context, and to some extent is inverted. Market share
is irrelevant, and bragging rights still hold sway. And yet still no
viruses. Even the various winners of such contests as pwn2own do not
succeed at privilege escalation exploits without physical access, and
will readily admit, including the much-lauded Charlie Miller, that
successful mac exploits of this nature are unlikely.
As for having no idea how to fix it, being that there are several mac
anti-malware apps, including the Open Source Clam AV, I doubt it
would take much effort to fix.
No it's not
At 10% market share, there's millions to be made off of malware.
Could it be they just can't come up with one without social engineering being involved? Like just clicking on a website and having it automatically installed the Windoze way?
[i]But as more and more upper management people use Macs, more and more malware makers will target Macs. Then... whammo! A super-uber-malware will start infecting Macs around the world, and the Mac people will have no idea how to fix it.[/i]
Well considering they still can't fix Windoze yet, that could be plausible.
Macs more secure? NOT!
See: http://blogs.zdnet.com/security/?p=2941 for the interview.
MAC security is a joke.
RE: Macs more secure? NOT!
Anything can be hacked, but the fact that Windows hassles the legitimate user more than the Mac, does not somehow make Windows more secure.
Wrong, even in all caps
Access Control Protocol on ethernet routers is secure when coupled with
appropriate security measures.
Oh, you meant macs? Why didn't you say so.
Interesting that you quote Charlie Miller. Did you know that MIller has
NEVER successfully mounted a privilege escalation attack? He is able to
commandeer Safari to deface a webpage or two, but is unable to do any
significant damage, the likes of which most people associate with
malware. There is a reason that Charlie Miller prefers macs, and thinks
they are better machines.