Apple fixed hundreds of bugs, 223 to be exact, across macOS Sierra, iOS, Safari, watchOS, and tvOS on Monday.
On the first day of Pwn2Own 2017 hackers poked holes in Adobe Reader, Apple Safari, Microsoft Edge, and Ubuntu Linux.
Apple has patched the Trident vulnerabilities in OS X and Safari. The flaws were originally disclosed in iOS and used to spy on a UAE human rights activist.
A Duo Labs report reveals the dangers of unpatched and outdated software used in business world.
Apple deployed patches for nearly all of its products, including Safari, OS X, iOS, Apple TV’s tvOS, and watchOS on Monday.
Tencent Security Team Sniper (KeenLab and PC Manager) takes top honors and is Master of Pwn for Pwn2Own 2016 earning $142,500.
Hackers took down Apple Safari and Adobe Flash earning $282,500 in prizes on Wednesday, the first day of the annual Pwn2Own hacking challenge in Vancouver.
It’s a common belief (and myth) that Apple products are invincible against malware. This false line of thinking has recently again been refuted, as iPhone and iPad users have been encountering a ransomware threat that freezes their Internet browsers, rendering their devices unusable. The ploy, commonly known as iScam, urges victims to call a number and pay $80 as a ransom to fix their device. When users visit an infected page while browsing using the Safari application, a message is displayed saying that the device’s iOS has crashed “due to a third party application” in their phone. The users are then directed to contact customer support to fix the issue.
How to clean your system if you’ve been infected by iScam
- Turn on Anti-phishing. This can be done by visiting Settings > Safari and turn on ‘Fraudulent Website Warning’. When turned on, Safari’s Anti-phishing feature will notify you if you visit a suspected phishing site.
- Block cookies. For iOS 8 users, tap Settings > Safari > Block Cookies and choose Always Allow, Allow from websites I visit, Allow from Current Websites Only, or Always Block. In iOS 7 or earlier, choose Never, From third parties and advertisers, or Always.
- Clear your history and cookies from Safari. In iOS 8, tap Settings > Safari > Clear History and Website Data. In iOS 7 or earlier, tap Clear History and tap Clear Cookies and Data. To clear other stored information from Safari, tap Settings > Safari > Advanced > Website Data > Remove All Website Data.
Check out Apple’s support forum for additional tips on how to keep your device safe while using Safari.
What it’s about
The security issue was discovered by David Leo, who put together a proof-of-concept for it. When clicking on OK a new website is being loaded. While the address bar tells you that you are visiting dailymail.co.uk the actual page is definitely a different one.
The URL-spoofing itself is done with just a few lines of code:
The last part, setInterval(“f()”,10); , makes sure that the address bar is reloaded ever 10 milliseconds (so you might as well say, that it’s kind of a DDoS attack, too), just before the browser can get the real page and so the user sees the “real” web address instead of the fake one. This causes the spoofed URL to flicker; sometimes it’s even possible to briefly see the actual URL.
What you can do
Your first step should always be to make sure that your browser is up to date so that security updates can be installed once available. In addition to that open up the Safari settings, go to the advanced tab, and choose “Show full website address”. The browser will then show the results of MathRandom in the address bar.
Alternatively you could also just use another browser for the time being: The code will not work in Google Chrome and Mozilla Firefox.
The post URL-Spoofing: Apple Safari Can Be Manipulated Easily appeared first on Avira Blog.
Apple has issued a series of bulletins for its Safari browser fixing various security vulnerabilities in its WebKit rendering engine.