iOS 6 security bug in wild, reenables JavaScript under Safari without input from user

Posted by:
Date: Monday, December 24th, 2012, 08:57
Category: News, security, Software

This is the reason bug fixes were invented.

Per AppleInsider the Safari web browser in Apple’s iOS 6 platform has a potentially serious JavaScript bug that could have major security and privacy implications.

The new “Smart App Banner” feature in iOS 6 is designed to allow developers the ability to promote App Store software within Safari. The Smart App Banner detects whether a user has a specific application installed, and invites them to view the software on the App Store or open it on their iOS device.

But for users who choose to turn off JavaScript in the Safari Web browser, the appearance of a Smart App Banner on a website will automatically and permanently turn JavaScript back on without notifying the user.

iOS device owners can test this issue by opening the Settings application and choosing Safari, then turning off JavaScript. Then simply launch the Safari browser and visit a website with a Smart App Banner.

Users can then go back into the Settings application to verify that the JavaScript setting switch has been flipped back to the “on” position without warning. Accordingly, JavaScript features on websites will begin working again.

The issue has reportedly existed since the release of iOS 6 months ago, though it has not been widely reported. In addition, people familiar with the latest beta of iOS 6.1 said the problem also remains in Apple’s pre-release test software on the iPhone.

Peter Eckersley, technology products director with digital rights advocacy group the Electronic Frontier Foundation, said he would characterize such an issue as a “serious privacy and security vulnerability.”

Neither Eckersley nor the EFF had heard of the bug in iOS 6, nor had they independently tested to confirm that they were able to replicate the issue. But Eckersley said that if the problem is in fact real, it’s something that Apple should work to address as quickly as possible.

“It is a security issue, it is a privacy issue, and it is a trust issue,” Eckersley said. “Can you trust the UI to do what you told it to do? It’s certainly a bug that needs to be fixed urgently.”

But Lysa Myers, a virus hunter at security firm Intego, said she doesn’t see the bug as a major concern for the vast majority of iOS device owners.

“While this issue is certainly not an ideal situation, by itself it actually isn’t that large a problem,” said Myers. “At the moment it doesn’t pose a threat, but we’ll continue to monitor it to make sure it doesn’t become more exploitable. There’s also the fact that few people actually disable JavaScript completely as it can partially, or totally, disable the majority of websites.”

Stay tuned for additional details as they become available.

Google Chrome updated to 23.0.1271.101

Posted by:
Date: Tuesday, December 18th, 2012, 07:22
Category: News, Software

google-chrome-logo

Hey, an update’s an update.

Late Monday, Google released version 23.0.1271.101 of its Chrome web browser. The update, a 56.5 megabyte download, adds the following fixes and changes:

- This build contains the fix to a bug with sound distortion with microphone input: 157613.

Google Chrome 23.0.1271.101 requires an Intel-based Mac with Mac OS X 10.6 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Google Chrome updated to 23.0.1271.97

Posted by:
Date: Wednesday, December 12th, 2012, 08:05
Category: News, Software

google-chrome-logo

Hey, an update’s an update.

Late Tuesday, Google released version 23.0.1271.97 of its Chrome web browser. The update, a 56.5 megabyte download, adds the following fixes and changes:

- Some texts in a Website Settings popup are trimmed (Issue: 159156).

- Some plugins stopped working (Issue: 159896).

- Fixed a known crash (Issue:161854).

Google Chrome 23.0.1271.97 requires an Intel-based Mac with Mac OS X 10.6 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Mozilla releases Firefox 17.0.1 update

Posted by:
Date: Monday, December 3rd, 2012, 08:57
Category: News, Software

elfirefox

Hey, an update’s an update…

Over the weekend, Mozilla.org released version 17.0.1 of its Firefox web browser. The new version, a 34.1 megabyte download and adds the following fixes and changes:

Fixed:
- Font rendering issue in Firefox 17.0 (bug 814101).

- 17.0.1: Reverted user agent change causing some website incompatibilities.

- Over twenty performance improvements, including fixes around the New Tab page.

- 17.0.1: Leaving Private Browsing with Social API enabled should reset social components (814554).

- Pointer lock doesn’t work in web apps (769150).

- Page scrolling on sites with fixed headers (780345).

- Known Issues Unresolved If you try to start Firefox using a locked profile, it will crash (see 573369).

Unresolved:
- For some users, scrolling in the main GMail window will be slower than usual (see 579260).

- Unresolved Windows: The use of Microsoft’s System Restore functionality shortly after updating Firefox may prevent future updates (see 730285).

New:
- First revision of the Social API and support for Facebook Messenger.

- Click-to-play blocklisting implemented to prevent vulnerable plugin versions from running without the user’s permission (see blog post)

Changed:
- Updated Awesome Bar experience with larger icons.

- Mac OS X 10.5 is no longer supported.

Developer:
- JavaScript Maps and Sets are now iterable.

- SVG FillPaint and StrokePaint implemented.

- Improvements that make the Web Console, Debugger and Developer Toolbar faster and easier to use.

- New Markup panel in the Page Inspector allows easy editing of the DOM.

HTML 5:
- Sandbox attribute for iframes implemented, enabling increased security.

Firefox 17.0.1 requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Google Chrome updated to 23.0.1271.95

Posted by:
Date: Friday, November 30th, 2012, 08:54
Category: News, Software

google-chrome-logo

You can’t knock a bug fix.

Late Monday, Google released a beta of version Google Chrome updated to 23.0.1271.95 of its Chrome web browser. The update, a 56.5 megabyte download, adds the following fixes and changes:

- [161564] High CVE-2012-5138: Incorrect file path handling. Credit to Google Chrome Security Team (Jüri Aedla).

- [$7331] [162835] High CVE-2012-5137: Use-after-free in media source handling. Credit to Pinkie Pie.

Google Chrome 23.0.1271.95 requires an Intel-based Mac with Mac OS X 10.5 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Google Chrome updated to 23.0.1271.91

Posted by:
Date: Tuesday, November 27th, 2012, 07:11
Category: News, Software

google-chrome-logo

You can’t knock a bug fix.

Late Monday, Google released a beta of version Google Chrome updated to 23.0.1271.91 of its Chrome web browser. The update, a 56.5 megabyte download, adds the following fixes and changes:

- No audio from Flash content when speaker configuration is set to Quadraphonic (Issue: 159924).

- Aw, Snap renderer crash on Windows Server 2003 (Issue: 160559).

Google Chrome 23.0.1271.91 requires an Intel-based Mac with Mac OS X 10.5 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Mozilla releases Firefox 17.0 update

Posted by:
Date: Wednesday, November 21st, 2012, 09:35
Category: News, Software

elfirefox

The Firefox version number just keeps getting pushed higher…

Late Wednesday, Mozilla.org released version 17.0 of its Firefox web browser. The new version, a 33.3 megabyte download and adds the following fixes and changes:

What’s new:
- FIXED – 16.0.2: Security fixes can be found here

- FIXED – 16.0.1: Vulnerability outlined here.

- NEW – Firefox on Mac OS X now has preliminary VoiceOver support turned on by default.

- NEW – Initial web app support (Windows/Mac/Linux).

- NEW – Acholi and Kazakh localizations added.

- CHANGED – Improvements around JavaScript responsiveness through incremental garbage collection.

- DEVELOPER – New Developer Toolbar with buttons for quick access to tools, error count for the Web Console, and a new command line for quick keyboard access.

- DEVELOPER – CSS3 Animations, Transitions, Transforms and Gradients unprefixed in Firefox 16.

- DEVELOPER – Recently opened files list in Scratchpad implemented.

- FIXED – Debugger breakpoints do not catch on page reload (783393).

- FIXED – No longer supporting MD5 as a hash algorithm in digital signatures (650355).

- FIXED – Opus support by default (772341).

- FIXED – Reverse animation direction has been implemented (655920).

- FIXED – Per tab reporting in about:memory (687724).

- FIXED – User Agent strings for pre-release Firefox versions now show only major version (728831).

Known Issues:
- UNRESOLVED – If you try to start Firefox using a locked profile, it will crash (see 573369).

- UNRESOLVED – For some users, scrolling in the main GMail window will be slower than usual (see 579260).

- UNRESOLVED – Windows: The use of Microsoft’s System Restore functionality shortly after updating Firefox may prevent future updates (see 730285).

- UNRESOLVED – Pointer lock doesn’t work in web apps (see 769150).

Firefox 17.0 requires an Intel-based Mac running Mac OS X 10.5 or later to install and run.

If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Opera 12.11.1659 public beta goes live, now available for download

Posted by:
Date: Friday, November 16th, 2012, 06:14
Category: News, Software

operalogo

On Monday, Opera Software released a public beta of version 12.11.1659 of its web browser. The new version, a 19.1 megabyte download via MacUpdate, boasts the following fixes and changes:
- CT-3634 Switch with foreignobject is not rendered

- CORE-49240 Some jQuery functions not working correctly in Opera 12.10.

- CORE-49235 Complicated transitions don’t always start or complete, leaving behind a messed up layout.

- CORE-49175 Crash if SVG foreignObject is display:list-item.

- DSK-377538 Opera uses 100%+ cpu on google chat.

- DSK-376755 alt + space does not bring up system menu.

Opera 12.11.1659 is available for free and requires an Intel-based Mac running Mac OS X 10.5 or later to install and run.

If you’ve tried the new version and have any feedback to offer, let us know in the comments.

Google Chrome updated to 23.0.1271.64

Posted by:
Date: Wednesday, November 7th, 2012, 08:53
Category: News, security, Software

google-chrome-logo

It’s the bug fixes that make a difference.

Late Tuesday, Google released a beta of version 23.0.1271.64 of its Chrome web browser. The update, a 56.5 megabyte download, adds the following fixes and changes:

- Medium CVE-2012-5127: Integer overflow leading to out-of-bounds read in WebP handling. Credit to Phil Turnbull.

- High CVE-2012-5116: Use-after-free in SVG filter handling. Credit to miaubiz.

- [Mac OS only] [149717] High CVE-2012-5118: Integer bounds check issue in GPU command buffers. Credit to miaubiz.

- High CVE-2012-5121: Use-after-free in video layout. Credit to Atte Kettunen of OUSPG.

- Low CVE-2012-5117: Inappropriate load of SVG subresource in img context. Credit to Felix Groebert of the Google Security Team.

- Medium CVE-2012-5119: Race condition in Pepper buffer handling. Credit to Fermin Serna of the Google Security Team.

- Medium CVE-2012-5122: Bad cast in input handling. Credit to Google Chrome Security Team (Inferno).

- Medium CVE-2012-5123: Out-of-bounds reads in Skia. Credit to Google Chrome Security Team (Inferno).

- High CVE-2012-5124: Memory corruption in texture handling. Credit to Al Patrick of the Chromium development community.

- Medium CVE-2012-5125: Use-after-free in extension tab handling. Credit to Alexander Potapenko of the Chromium development community.

- Medium CVE-2012-5126: Use-after-free in plug-in placeholder handling. Credit to Google Chrome Security Team (Inferno).

- High CVE-2012-5128: Bad write in v8. Credit to Google Chrome Security Team (Cris Neckar).

Google Chrome 23.0.1271.64 requires an Intel-based Mac with Mac OS X 10.5 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Opera 12.10.1650 public beta goes live, now available for download

Posted by:
Date: Monday, November 5th, 2012, 10:45
Category: News, Software

operalogo

On Monday, Opera Software released a public beta of version 12.10.1650 of its web browser. The new version, a 20.1 megabyte download via MacUpdate, boasts the following fixes and changes:

- Multiple bug fixes.

Opera 12.10.1615 is available for free and requires an Intel-based Mac running Mac OS X 10.5 or later to install and run.

If you’ve tried the new version and have any feedback to offer, let us know in the comments.