Monday, September 19, 2011

Friend Don't Let Friends Use Safari

It is amazing to me how poorly Apple deals with security issues sometimes.   Whenever there is a hack-a-thon someplace, it is always seems that Safari is the first browser broken into first.  

Here is a past example of this happening in an article called, "Hackers Gain Access to Mac OS X in 30 Minutes" in the section titled "Flawed Apples".

"News of this contest comes on the heels of Macs being hit by two viruses and a critical security flaw.  Security experts called the Leap and Inqtana viruses relatively harmless because of their limited scope, but rated the security flaw in Apple's Safari Web browser as critical."

With this latest DigiNotar attack, Apple again is AWOL on fixing Safari when other browsers jumped all over the problem.  Below is from

"While rivals like Google, Microsoft, Mozilla, and Adobe already blocked the DigiNotar digital certificates, Apple was silent on the issue until now, prompting criticism from an analyst earlier this week. In the update, Apple noted that it "does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."  Apple said its update is available via Software Update preferences or from Apple Downloads.

At issue is Netherlands-based DigiNotar, which issues certificates that validate Web sites as legitimate. It recently disclosed that it had been hacked, and an investigation into the effect of the intrusion found that, among other things, the hack possibly compromised the Google accounts of more than 300,000 Iranians.
What this means is that when users in Iran and elsewhere navigated to certain Web sites, they might actually be visiting spoofed sites that stole personal information when users logged in. The fix from Apple and the other firms is intended to make sure you don't stumble upon a fake digital cert and compromise your data.

A hacker known as Comodo Hacker, who got his name thanks to a March hack of Comodo, has also taken credit for the DigiNotar job. He also claims to have accessed GlobalSign, prompting the company to temporarily stop issuing digital certificates."