[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Safari for Windows, 0day URL protocol handler command injection

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Safari for Windows, 0day URL protocol handler command injection
From: Andrew Redman <aredman@xxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Jun 2007 11:09:24 -0700

I wouldn't put it past Apple to steal associations in a nearly silent 
manner so that Safari becomes the default browser for untold numbers of 
Itunes users. How many of those with serious clue deficiencies would be 
willing or able to change all of those associations back? Apple could 
make Safari reclaim its default browser status every time Itunes opens. 
Its all rather shady, but Apple could gain a large market share chunk 
very rapidly just by irritating their users a bit.

I rather hope that Apple decides now is a decent time to develop some 
morals. Also I hope they don't get any ideas from this message.

 - Andrew Redman

Larry Seltzer wrote:
>>> Apple released version 3 of their popular Safari web browser today,
>>>       
> with the added twist of offering both an OS X and a Windows version.
> Given that Apple has had a lousy track record with security on OS X, in
> addition to a hostile attitude towards security researchers, a lot of
> people are expecting to see quite a number of vulnerabilities targeted
> towards this new Windows browser. 
>
> Joe Wilcox here at eWEEK is speculating, as are others, that Apple could
> start bundling Safari with the Windows iTunes software
> (http://www.microsoft-watch.com/content/web_services_browser/do_we_reall
> y_need_another_windows_browser.html). They have already done this with
> QuickTime. Safari could develop installed base quickly that way.
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blogs.eweek.com/cheap_hack/
> Contributing Editor, PC Magazine
> larryseltzer@xxxxxxxxxxxxx 
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Safari for Windows,
  - From: Jeff Kell

References:
- [Full-disclosure] Safari for Windows, 0day URL protocol handler command injection
  - From: Thor Larholm
- Re: [Full-disclosure] Safari for Windows, 0day URL protocol handler command injection
  - From: Larry Seltzer

Prev by Date: [Full-disclosure] ZDI-07-036: Arris Cadant C3 CMTS Remote DoS Vulnerability
Next by Date: [Full-disclosure] [SECURITY] [DSA 1307-1] New OpenOffice.org packages fix arbitrary code execution
Previous by thread: Re: [Full-disclosure] Safari for Windows, 0day URL protocol handler command injection
Next by thread: Re: [Full-disclosure] Safari for Windows,
Index(es):
- Date
- Thread