On the first day of Pwn2Own 2017 hackers poked holes in Adobe Reader, Apple Safari, Microsoft Edge, and Ubuntu Linux.
Apple on Monday rolled out dozens of patches including ones for its recently released Sierra operating system, OS X, iOS 10.1, watchOS, and Apple TV’s tvOS, along with fixes for Safari.
What it’s about
The security issue was discovered by David Leo, who put together a proof-of-concept for it. When clicking on OK a new website is being loaded. While the address bar tells you that you are visiting dailymail.co.uk the actual page is definitely a different one.
The URL-spoofing itself is done with just a few lines of code:
The last part, setInterval(“f()”,10); , makes sure that the address bar is reloaded ever 10 milliseconds (so you might as well say, that it’s kind of a DDoS attack, too), just before the browser can get the real page and so the user sees the “real” web address instead of the fake one. This causes the spoofed URL to flicker; sometimes it’s even possible to briefly see the actual URL.
What you can do
Your first step should always be to make sure that your browser is up to date so that security updates can be installed once available. In addition to that open up the Safari settings, go to the advanced tab, and choose “Show full website address”. The browser will then show the results of MathRandom in the address bar.
Alternatively you could also just use another browser for the time being: The code will not work in Google Chrome and Mozilla Firefox.
The post URL-Spoofing: Apple Safari Can Be Manipulated Easily appeared first on Avira Blog.
Two researchers took down the four major browsers, Internet Explorer, Firefox, Chrome, and Safari yesterday as Pwn2Own wrapped up in Vancouver.