Browser Security News

edrawpdfviewer-activex.txt

News — Fri, 19 Jun 2009 05:17:25 +0000

The Edraw PDF Viewer component suffers from an Active-X related remote code execution vulnerability. Versions below 3.2.0.126.

Security researchers develop browser-based darknet

News — Thu, 18 Jun 2009 22:18:18 +0000

Called Veiled, the darknet only requires participants to use an HTML 5-based browser to connect and share data anonymously.

Vuln: AOL Radio AmpX ActiveX Control ‘ConvertFile()’ Buffer Overflow Vulnerability

News — Thu, 18 Jun 2009 22:17:43 +0000

AOL Radio AmpX ActiveX Control ‘ConvertFile()’ Buffer Overflow Vulnerability

Read More…
Source: Security Focus

The Hackers’ Nightmare is here!

How Firefox Is Pushing Open Video Onto the Web

News — Thu, 18 Jun 2009 21:22:17 +0000

Webmonkey chats with Mozilla’s Mike Beltzner, who tells us how Firefox 3.5 will allow videos on the web to play in the browser without plug-ins.

Bugs and Fixes: A Bonanza of Browser Bug Fixes

News — Thu, 18 Jun 2009 21:21:32 +0000

This month brings us significant browser security updates–or new versions–from Microsoft, Google, and Apple.
read more

Bugtraq: Re: iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2008)

News — Thu, 18 Jun 2009 19:17:40 +0000

Re: iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2008)

Read More…
Source: Security Focus

The Hackers’ Nightmare is here!

Re: iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2008)

News — Thu, 18 Jun 2009 18:17:56 +0000

Mike, just getting to the phone dialer is not a bug! That is what the tel: protocol is for. All most all mobile phones implement this, every time you open a tel: URL you will get to the dialer in some way. Collin Mike Ely wrote: …

Bugtraq: iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2008)

News — Thu, 18 Jun 2009 15:17:49 +0000

iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2008)

Read More…
Source: Security Focus

The Hackers’ Nightmare is here!

Geolocating Your iPhone Users via the Browser

News — Thu, 18 Jun 2009 14:20:24 +0000

Hallelujah! Geolocation is available in the iPhone’s browser. I was thrilled to finally have this app ask to use my location. This is only true for the new 3.0 version of the browser (oddly, geolocation is *not* available in the Mac version of Safari 4). Adding the ability to geolocate users via the browser opens up a whole new range of web apps.
If you’re eager to start catering to the legion of iPhone users ready to tell you where they are, Adam DuVander (the fellow behind the Portland Wifi Finder among other things) has written up an excellent post on how to access their location. The iPhone is using the W3C Geo-Location spec. If you are running the latest version of the iPhone OS you can try it out at http://bit.ly/w3cgeo
The code itself is very simple:
navigator.geolocation.getCurrentPosition(foundLocation, noLocation);
function foundLocation(position)
{
var lat = position.coords.latitude;
var long = position.coords.longitude;
alert(’Found location: ‘ + lat + ‘, ‘ + long);
}
function noLocation()
{
alert(’Could not find location’);
}
(you can get more information on the behavior in Adam’s post)
Apple was smart about the user experience and kept the user in control. I was prompted to give Safari permission to access my location (I should only be asked this question one more time). I was then prompted to share my location with the website (in this case Adam’s test). I expect many sites to quickly update their mobile sites to include location (Google already identifies your location if you are using the Android browser so I hope they update the iPhone version of their homepage shortly).

Microsoft beating Mozilla…in open-source licensing

News — Thu, 18 Jun 2009 14:19:01 +0000

Redmond may be losing market share to Mozilla in browsers, but its open-source license is gaining ground fast against Mozilla for some very good reasons.

Edraw PDF Viewer Component ActiveX Remote code execution vulnerability

News — Thu, 18 Jun 2009 13:18:13 +0000

Edraw PDF Viewer Component ActiveX Remote code execution vulnerability By Jambalaya of Nevis Labs Date: 2009.06.16 Vender: EdrawSoft Affected: Edraw PDF Viewer Component< 3.2.0.126 *other version may also be affected Overview: "Edraw PDF Viewer Component is a light weight ActiveX Control which enables ...

iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2008)

News — Thu, 18 Jun 2009 13:17:54 +0000

Released since Apple published the iPhone 3.0 security fixes. Vulnerability Report BEGIN ADVISORY Manufacturer: Apple (www.apple.com) Device: iPhone 3G (iPhone 1st Gen) Firmware: 2.1 (possible earlier versions) Device Type: smart phone Subsystems: Safari (and mobile telephony) Short name: iPhone Safari phone-auto-dial (vulnerability) …

Video: Hands-on with SPRXmobile’s Layar augmented reality browser for Android

News — Thu, 18 Jun 2009 12:20:46 +0000

We had a chance to go hands-on with Layar, the new augmented reality browser from SPRXmobile. Launched yesterday on Android Market in The Netherlands, we were curious to see how the software, that looked damn-impressive in the promo video, would function in actual use, in this case, from the living room of SPRXmobile’s Maarten Lens-FitzGerald just outside of Amsterdam. Our take? it’s the real-deal, especially for a v1 release. The software looks rock-solid and the initial data layers — ATMs, social joints like cafes and clubs, and job listings — appear fully populated and thus, useful. The ATM and cafe/club layers (or layars) are definitely useful for serendipitous discovery though we’re still scratching our heads over the job search layar. See, what you’re discovering are jobs you can apply for from that particular employment office, not jobs necessarily available in that specific neighborhood or office building. Next month, Layar will have access to what could be its killer app (or killer data layar) called Funda, the site in The Netherlands for finding places to rent or buy. Of course, you can imagine travel guide companies like Let’s Go and Frommers jumping into this with huge effect as well. And really, it’s content that’s going to make this type of augmented reality software a success. Maarten tells us that more partner announcements are expected this week with expansion into the US, Germany, and UK anticipated later this year on Android devices and on the iPhone 3G S (compass required). Check the interview and demo after the break.Continue reading Video: Hands-on with SPRXmobile’s Layar augmented reality browser for AndroidFiled under: Misc. GadgetsVideo: Hands-on with SPRXmobile’s Layar augmented reality browser for Android originally appeared on Engadget on Thu, 18 Jun 2009 07:59:00 EST. Please see our terms for use of feeds.Permalink | Email this | Comments

First look: Opera Unite alpha lets you share files — but is it safe?

News — Thu, 18 Jun 2009 09:17:12 +0000

With Unite, Opera plans to offer everyone their own Web server However, this alpha version is not nearly secure enough for most users.

CVE-2009-2057 (ie)

News — Thu, 18 Jun 2009 02:18:28 +0000

Microsoft Internet Explorer before 8 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an “SSL tampering” attack.

Read More…
Source: National Vulnerability Database

The Hackers’ Nightmare is here!

CVE-2009-2069 (ie)

News — Thu, 18 Jun 2009 02:18:09 +0000

Microsoft Internet Explorer before 8 displays a cached certificate for a (1) 4xx or (2) 5xx CONNECT response page returned by a proxy server, which allows man-in-the-middle attackers to spoof an arbitrary https site by letting a browser obtain a valid certificate from this site during one request, and then sending the browser a crafted 502 response page upon a subsequent request.

Read More…
Source: National Vulnerability Database

The Hackers’ Nightmare is here!

Minor update to Safari 4

News — Thu, 18 Jun 2009 00:19:15 +0000

A quick tweak to Safari amid the iPhone OS 3.0 news corrects compatibility problems between the browser and iLife ‘09.

Vuln: Apple Safari Prior to 3.2 Multiple Security Vulnerabilities

News — Thu, 18 Jun 2009 00:17:52 +0000

Apple Safari Prior to 3.2 Multiple Security Vulnerabilities

Read More…
Source: Security Focus

The Hackers’ Nightmare is here!

Microsoft Security Advisory (956391): Update Rollup for ActiveX Kill Bits - 6/17/2009

News — Wed, 17 Jun 2009 23:18:33 +0000

Revision Note: V1.3 (June 17, 2009): Added an entry to Frequently Asked Questions to communicate that for the purpose of automatic updating, this update does not replace the Cumulative Security Update of ActiveX Kill Bits (950760) that is described in Microsoft Security Bulletin MS08-032. Advisory Summary:Microsoft is releasing a new set of ActiveX kill bits with this advisory.

Microsoft Security Advisory (960715): Update Rollup for ActiveX Kill Bits - 6/17/2009

News — Wed, 17 Jun 2009 23:18:14 +0000

Revision Note: V1.2 (June 17, 2009): Added an entry to Frequently Asked Questions to communicate that for the purpose of automatic updating, this update does not replace the Cumulative Security Update of ActiveX Kill Bits (950760) that is described in Microsoft Security Bulletin MS08-032. Advisory Summary:Microsoft is releasing a new set of ActiveX kill bits with this advisory.