Apple releases Safari 3.2 with phishing protection

[AppleInsider]

Apple on Thursday afternoon released Safari 3.2, a recommended update for all Safari users that delivers protection from fraudulent phishing websites and better identification of online businesses.

The update also includes the latest security fixes.

Download Links

Users of the Apple web browser can download the new version through the Software Update application available on their Mac (under the Apple menu) or PC.

Safari 3.2 for Mac OS X 10.5.5 Leopard [39MB]

Safari 3.2 for Mac OS X 10.4.11 Tiger [25.7MB]

Safari 3.2 for *Windows XP or Vista [19MB]

Background

Apple briefly included anti-phishing measures in builds of Safari 3.0 that were originally included with tests seeds of the now released Mac OS X 10.5 Leopard operating system back in October of 2006. When Leopard hit the market last fall, it quickly became apparent that those features had been pulled.

Earlier this year, e-commerce sites such as PayPal said they would consider blocking the use of any web browser that didn't provided added validation measures, which would have potentially restricted the use of Safari with those services.

[ View this article at AppleInsider.com ]

[Virgil-TB2]

Quote:

Originally Posted by AppleInsider

Apple on Thursday afternoon released Safari 3.2, a recommended update for all Safari users that delivers protection from fraudulent phishing websites and better identification of online businesses....

Anyone got a URL that could be used to test the feature?

[rpoland]

Does that mean that Safari Version 4 Developer Preview (5526.11.2) should be replaced?

[J@ffa]

Quote:

Originally Posted by Virgil-TB2

Anyone got a URL that could be used to test the feature?

http://chaseonline.chase.com.ssl.com.kg/

[solipsism]

Quote:

Originally Posted by Virgil-TB2

Anyone got a URL that could be used to test the feature?

Just type in 'Phishing Test' into Google. There are plenty of options.

However, I can't get any of them to work. On top of that, Acid3 is still at 75/100 and it causes crashes when running WebKit within it or using extensions, so I don't recommend it for all users.

I'm going back to Safari 4, which doesn't have the phishing option added yet.

[solipsism]

Quote:

Originally Posted by J@ffa

http://chaseonline.chase.com.ssl.com.kg/

That one was blocked correctly. I guess they aren't using Google's or Mozilla's DB on phishing sites.

[kim kap sol]

Quote:

Originally Posted by solipsism

That one was blocked correctly. I guess they aren't using Google's or Mozilla's DB on phishing sites.

Are you sure? The links on the phishing warning all lead to Google.

[i386]

Big wow, so what, I'll stick with Firefox 3, thanks

[Virgil-TB2]

Quote:

Originally Posted by solipsism

Just type in 'Phishing Test' into Google. There are plenty of options.

However, I can't get any of them to work. On top of that, Acid3 is still at 75/100 and it causes crashes when running WebKit within it or using extensions, so I don't recommend it for all users.

I'm going back to Safari 4, which doesn't have the phishing option added yet.

Phishing site test worked for me, no crashes with extensions either. (does only get 75 on Acid 3 though)

Possibly all the goofing around with WebKit you do has left you with a non-standard set of components relative to the average user.

[solipsism]

Quote:

Originally Posted by kim kap sol

Are you sure? The links on the phishing warning all lead to Google.

Not at all. I assumed that this site would also be in Google's phishing DB, but it does clearly say Firefox on the page.

[solipsism]

Quote:

Originally Posted by Virgil-TB2

Possibly all the goofing around with WebKit you do has left you with a non-standard set of components relative to the average user.

WebKit is a separate app. It just calls the Safari Libraries when launched. You can still launch your verision of Safari alongside it just fine. As for extensions, that would depend on the extention. It seems Glims is causing crashes with the new build.

[kim kap sol]

WebKit piggybacks off Safari. So it's entirely possible to get all the Safari 4 goodness *and* the new anti-phishing feature.

So...yes, it's possible to score 100% on Acid3 *and* get protection from fake Chase sites.

[wizard69]

I just down loaded and did the reboot. I'm wondering if they rolled any of the javascript improvements into this revision or is that still off in the future.

We security is nice and all but I don't do much on line where that is a problem. What I really want is to see all the new HTML 5 and other improvements go mainstream.

dave

[eAi]

Yes, if you installed Safari 3.2, you can still use WebKit nightlies and get the benefit of phishing protection in Safari 3.2.

Based on the comments above, I'd say that they haven't updated WebKit (significantly) for this release. Maybe we'll have to wait for Snow Leopard for that.

[solipsism]

Quote:

Originally Posted by kim kap sol

WebKit piggybacks off Safari. So it's entirely possible to get all the Safari 4 goodness *and* the new anti-phishing feature.

So...yes, it's possible to score 100% on Acid3 *and* get protection from fake Chase sites.

Yeah, I'm sure a new WebKit will work fine, but you can't use "Safari 4 goodness" and the anti-phishing feature, unless it's a hidden feature in which a PLIST edit will enable it. Though I'm sure the next Safari 4 beta will have added it, so no worries.

[mjuchter]

I've run the upgrade twice now, once from Software Update and then as a download and each time I reboot and... Still have Safari 3.0.4. Anyone else having this problem?

[solipsism]

Quote:

Originally Posted by mjuchter

I've run the upgrade twice now, once from Software Update and then as a download and each time I reboot and... Still have Safari 3.0.4. Anyone else having this problem?

I did on one machine. Rename Safari to 'Safari 3.0.4' or whatever, then do the update.

[mjuchter]

Quote:

Originally Posted by solipsism

I did on one machine. Rename Safari to 'Safari 3.0.4' or whatever, then do the update.

Still no go. Renamed it to Safari Old, ran the install, and when I came back all I had was Safari Old, same version.

Doesn't look like I'm meant to upgrade.

[swim2383]

after updating, safari only crashes now.

[solipsism]

Quote:

Originally Posted by swim2383

after updating, safari only crashes now.

Uninstall any extensions and plugins that aren't ordained by Apple.

[Virgil-TB2]

Quote:

Originally Posted by solipsism

WebKit is a separate app. It just calls the Safari Libraries when launched. You can still launch your verision of Safari alongside it just fine. As for extensions, that would depend on the extention. It seems Glims is causing crashes with the new build.

that's pretty much exactly what I was (poorly) trying to say.

[Timmmy]

This sucks.
They included previously unpatched security fixes in this release in addition to the anti-phishing feature.

Apple needs to release a standalone Security Update for the security fixes.

So, anyone who chooses to skip this update will still be vulnerable to the following Safari exploits:


•Safari

CVE-ID: CVE-2008-3644

Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista

Impact: Sensitive information may be disclosed to a local console user

Description: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a local user. This update addresses the issue by properly clearing the form data. Credit to an anonymous researcher for reporting this issue.

•WebKit

CVE-ID: CVE-2008-2303

Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.

•WebKit

CVE-ID: CVE-2008-2317

Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in WebCore's handling of style sheet elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection. Credit to an anonymous researcher working with the TippingPoint Zero Day Initiative for reporting this issue.

•WebKit

CVE-ID: CVE-2008-4216

Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista

Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information

Description: WebKit's plug-in interface does not block plug-ins from launching local URLs. Visiting a maliciously crafted website may allow a remote attacker to launch local files in Safari, which may lead to the disclosure of sensitive information. This update addresses the issue by restricting the types of URLs that may be launched via the plug-in interface. Credit to Billy Rios of Microsoft, and Nitesh Dhanjani of Ernst & Young for reporting this issue.

[derev]

Quote:

Originally Posted by swim2383

after updating, safari only crashes now.

It only crashes when I try to "Reopen all windows from last session, oh and when I tried to open a link n a new window, and oh....

[Londor]

Same here. Constant crashes to the point that it is unusable.

Does anyone have a link to 3.1.2?

[Bowser]

Quote:

Originally Posted by i386

Big wow, so what, I'll stick with Firefox 3, thanks

Yawn...

Another also-ran, primitive, clunky Windows port. I'll stick with OmniWeb; been using it since v3 and it blows FF and Safari out of the water. And yes, I actually paid for it, and no, I don't work for OmniGroup.

[solipsism]

Quote:

Originally Posted by Londor

Does anyone have a link to 3.1.2?

• http://www.apple.com/support/downloads/

[Hands Sandon]

Quote:

Originally Posted by Londor

Same here. Constant crashes to the point that it is unusable.

Does anyone have a link to 3.1.2?

Go to the Apple site-downloads and enter safari 3.1.2 in the search box and it'll come up as a download.

[Londor]

Quote:

Originally Posted by solipsism

• http://www.apple.com/support/downloads/

Quote:

Originally Posted by Hands Sandon

Go to the Apple site-downloads and enter safari 3.1.2 in the search box and it'll come up as a download.

Thanks but have you actually tried to download it because I always get redirected to 3.2?

Edit: I have stopped the crashes in 3.2 by removing PithHelmet. Anyway I'd still very much appreciate if someone knows where to get 3.1.2.

[Hands Sandon]

Quote:

Originally Posted by Londor

Thanks but have you actually tried to download it because I always get redirected to 3.2?

Edit: I have stopped the crashes in 3.2 by removing PithHelmet. Anyway I'd still very much appreciate if someone knows where to get 3.1.2.

Re-directed me too, but I've got 3.2 on 10.5.5. Maybe you need 10.4 or older to get it?

[solipsism]

Quote:

Originally Posted by Londor

Edit: I have stopped the crashes in 3.2 by removing PithHelmet. Anyway I'd still very much appreciate if someone knows where to get 3.1.2.

Apple doesn't play well with others. I can't find the DL anywhere. Do you have TM backup?

Quote:

Originally Posted by Hands Sandon

Re-directed me too, but I've got 3.2 on 10.5.5. Maybe you need 10.4 or older to get it?

Tiger, Leopard and Windows are all 3.2. I can't find a link that doesn't redirect me to 3.2.

[derev]

Quote:

Originally Posted by Hands Sandon

Go to the Apple site-downloads and enter safari 3.1.2 in the search box and it'll come up as a download.

No it won't. It redirects to the 3.2 dl

Luckily I didn't upgrade my laptop.

[Hands Sandon]

Quote:

Originally Posted by solipsism

Apple doesn't play well with others. I can't find the DL anywhere. Do you have TM backup?


Tiger, Leopard and Windows are all 3.2. I can't find a link that doesn't redirect me to 3.2.

Wouldn't users of 10.5.2 be able to use that 3.1.2 hence the link being left up?

[solipsism]

Quote:

Originally Posted by Hands Sandon

Wouldn't users of 10.5.2 be able to use that 3.1.2 hence the link being left up?

Not necessarily. the OS X requirements are "Any Mac running Security Update 007 and Mac OS X Leopard 10.5.5 or Mac OS X Tiger 10.4.11 (or higher)", so Apple may want you to update your OS X version. Especially since the updates are free so there is no legitimate reason, in Apple's eyes, why you wouldn't want the latest point update of OS X but want the latest version of Safari.

[Hands Sandon]

Quote:

Originally Posted by solipsism

Not necessarily. the OS X requirements are "Any Mac running Security Update 007 and Mac OS X Leopard 10.5.5 or Mac OS X Tiger 10.4.11 (or higher)", so Apple may want you to update your OS X version. Especially since the updates are free so there is no legitimate reason, in Apple's eyes, why you wouldn't want the latest point update of OS X but want the latest version of Safari.

I don't have any unordained apps on my mini, but if I get some I might find that Safari 3.2 starts to crash and I'll have to delete them. Will an update fix this soon through the app, as there's no way to get 3.1.4 etc on 10.5.5?

[ajmas]

Quote:

Originally Posted by kim kap sol

WebKit piggybacks off Safari. So it's entirely possible to get all the Safari 4 goodness *and* the new anti-phishing feature.

So...yes, it's possible to score 100% on Acid3 *and* get protection from fake Chase sites.

I would say that Safari piggybacks off Webkit, since the Webkit framework gets installed into the OS, and then Safari simply makes use of it. You could get the code that is going to go into Safari 4, but it likely not have been certified for prime time. http://www.webkit.org is where it resides, but this is highly development oriented, so I wouldn't trust anything important on it.

[solipsism]

Quote:

Originally Posted by ajmas

I would say that Safari piggybacks off Safari, since the Webkit framework gets installed into the OS, and then Safari simply makes use of it. You could get the code that is going to go into Safari 4, but it likely not have been certified for prime time. http://www.webkit.org is where it resides, but this is highly development oriented, so I wouldn't trust anything important on it.

Since he is talking specifically about the WebKit nightly builds, you click on WebKit.app instead of Safari.app, which calls the Safari libraries and even states Safari in the Menu Bar and lists the version as the latest version of Safari that you have installed. There are only a few signs that tell you running a WebKit nightly The gold rimmed compass icon, instead of silver, and the results of an Acid3 test are two. The Safari container is completely unchanged, so his initial statement was apt, but in a general sense you are also correct.

PS: I find the WebKit nightly builds to be quite stable, almost all of the time. The advancements they've made with JS processing since the build Apple uses in their Safari current releases makes them worthwhile. Now, Safari 4 beta, on the other hand, still has quirks so it's not worth the trouble, IMO.

[CharlesS]

Quote:

Originally Posted by solipsism

Apple doesn't play well with others.

It is not Apple's responsibility to ensure compatibility with third party hacks.

[kaiwai]

Quote:

Originally Posted by CharlesS

It is not Apple's responsibility to ensure compatibility with third party hacks.

True - and lets ALSO remember that the interfaces which these third party hacks use are NOT supported by Apple in ANY form.

I wish some people here would put a cork in it when they don't know what the heck they're talking about.

[Kolchak]

Apple is losing its way. Whatever happened to "it just works"? Now they've got so many interdependencies, it's not funny. I just had Safari 3.1 crash and take my whole system with it. Figured it'd be a good time to go to 3.2 since this is one of my rare restarts. Bad move. 3.2 demands 10.5.5 and the latest security update. Why? I don't know. I bet the Windows version doesn't demand Vista SP2 and all the latest security updates. I upgraded from 10.5.3. 10 minutes, double reboot, etc. Safari still wouldn't install without the security update that Software Updater didn't even list until 10.5.5 was installed. Another 5 minutes to install that and double reboot. Finally installed Safari after another few minutes. A browser shouldn't need over 20 minutes to install. Then 3.2 crashed almost instantly. Reopening it every time gave me crashes. I finally went on a search and destroy mission for Pithhelmet. I feel sorry for Mac newbies who wouldn't have this kind of patience or the knowledge to follow the chain of steps. This is not the way to gain converts.

[mcnaugha]

The most important new feature of Safari 3.2 is the long-overdue EV certificate support. If you log in to PayPal you'll see the info on the EV certificate at the top right of the Safari window.