Apple plays catch-up, adds anti-fraud safeguard to Safari
Also patches 11 bugs in Windows browser, 4 in the Mac version
Computerworld - Apple yesterday added anti-phishing protection to Safari, the last major browser to receive the feature that blocks known identity-stealing sites. The company also patched 11 security bugs in the program, the bulk of them specific to the Microsoft Windows version.
Released Thursday, Safari 3.2 includes a new feature, dubbed "Fraudulent sites" in the browser's options listing. However, Apple did not update either Safari's help file or its online documentation with any additional information about the tool, including how it works, what database it uses to "blacklist" sites and whether it relays URLs back to Apple for checking or relies on a locally-stored database.
The Safari 3.2 end-user licensing agreement (EULA) does not include any mention of the new tool, and Apple did not respond to questions about the feature.
Apple nearly pulled the trigger on an anti-phishing add-in in 2007, when it had planned to incorporate it into Safari 3.0. However, it dropped the feature prior to releasing the browser as part of the upgrade to Mac OS X 10.5, also known as Leopard, in October 2007.
Earlier this year, PayPal, eBay Inc.'s payment service and the frequent target of fraudsters, announced it would block browsers that don't include anti-phishing features from accessing its site. Of the then-current major browsers, only Apple's lacked such a feature. A few days later, however, PayPal backed off, saying it had no intention of keeping Safari users from its site.
At the time, PayPal also said that the lack of support for Extended Validation (EV) certificates, a more regulated version of SSL (Secure Socket Layer) certificates, would bar a browser from its service as well. EVs are meant to reassure users that the online site is legitimate; browsers that support them typically signal that the site is safe by a change to the address bar.
Apple's announcement that it had added support for EVs was cryptic: The only mention was in the typically-terse description of the 3.2 update, which said "features ... better identification of online businesses."
Unlike rival browsers such as Mozilla Corp.'s Firefox and Microsoft Corp.'s Internet Explorer, however, Safari doesn't modify the address bar when it reaches a site with an EV certificate. Instead, it adds a small button to the upper right of the window that names the company owning the certificate. A small locked padlock symbol appears beside the button. Clicking on the button brings up details on the certificate.
Apple also patched 11 vulnerabilities in the Windows version, and four in the Mac OS X edition, with the upgrade to Safari 3.2.
According to the accompanying advisory, a majority of the bugs -- eight out of the 11 in Windows, two of the four in Mac OS X -- were pegged with the phrase "arbitrary code execution," Apple's way of saying that the vulnerability is critical and could be exploited by hackers to hijack a PC or Mac.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...
- X-Ray of the PCI Process-4 Proactive Steps
- This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into... All Mac OS White Papers
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
- Virtualize Business-Critical Applications with Confidence
- Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®... All Mac OS Webcasts