Apple Security Update 2007-009 Can Cause Safari Crash
by , 3:50 PM EST, December 18th, 2007
The Apple Security Update, 2007-009, for Mac OS X Tiger and Leopard published
on Monday could have subtle, adverse effects on operations in Safari.
It turns out that changes in Safari, in order to increase security,
could cause crashes in some special circumstances. That can happen due to the
way the security update affects how frames are handled in Safari,
according to TMO's resident coding wizard, Stephen Swift.
"The error happens when the user tries to submit a form to another target frame or window. Safari stops that, and, in fact, crashes. The idea is to keep any malicious hacker
from, for example, trying to load code into a hidden window," Mr. Swift proposed. [However, crashing may not be the intended behavior.]
The effect became noticeable right after the update was applied and TMO editors tried to
work in our publication system. Changes on the server side of our publication system had to be made to accommodate the way Safari now works.
The Security Update does not appear to affect OmniWeb 5.6 or FireFox 2.0.0.11 in that specific way.
My Safari was crashing all the time before the update. It's still crashing. I've trashed the plist file, still no go. Flash is killing me. Gives me the error message every time. Very frustrated.
CloseViewName:Burnum- TMO StaffPosts: 772Joined: 17 Jun 2001 Tue Dec 18, 2007 6:18 pmSubject:
If Safari is crashing every time you open it, see MacFixIt's article: What to do when an application won't launch. They guide you through updating prebindings and other steps.
If you think Flash is the culprit you can remove it (and any other plugin) from
~/Library/Internet Plug-Ins
or
/Library/Internet Plug-Ins
And yes, I don't think Safari is suppose to crash when it encounters this form tag target attribute problem. Apple will probably fix this in another update.
Yes, I tried to log in to my bank's internet services and Safari crashed three times. I had to give it up and resort to Firefox. But I really hope that they fix this ASAP. Do they need more testers one wonders?
This update taken today, and the Java and Quicktime updates on Monday too have been a nightmare for me. In Safari, input buffers started taking text and displaying it right to left (if you alternate typing a letter and then right arrow you can force LTR). Firefox is OK (as used now). I had hoped 2007-009 would fix the two problems I mention that date back to Monday. It did not.
Now Safari won't negotiate the login needed by me for a (slightly) protected and daily accessed source. Firefox and Opera work fine.
In addition, Monday's J&Q et al. upgrade apparently clobbered Apple Mail, so that anything requiring a new compose window does nothing, e.g. New, Reply, Reply All, Forward etc. All this happened once before a couple of months ago when I was stupid enough to try the early Safari 3 beta. I eventually had to reinstall the OS, which was a pain. I am not happy that Apple has, to my mind, started issuing buggy updates. If the updates are buggy then the security likely enough has holes too, just not the ones recently fixed, one hopes.
I started using a mirror backup disk back with the first occurrence of Apple update woes, but this was itself knocked out of commission on Friday by running Sophos AV. That quarantined some files (PC virus attachments from mail archives which were irrelevant) which were then untouchable to the SuperDuper! backup script that had been doing a great job until then. I finally used 'sudo rm' and backups could run.
Good luck to us all, then with new Apple Software Updates!
I had a bunch of problems with sites (Disney.com of all things, too) and flash. I finally did a search and found that when I updated to flash 9, it did not over write flash 8. viewing installed plugins showed both. I then went to the adobe site and found a flash uninstaller, it removed 8 and 9, then I reinstalled 9
CloseViewName:Burnum- TMO StaffPosts: 772Joined: 17 Jun 2001 Wed Dec 19, 2007 2:24 amSubject:
Although this won't fix the bug mentioned in the article, you may want to check the InputManagers folder to see if there are any haxies in there (and remove them). They can cause odd behavior and crashes.
~/Library/InputManagers
and
/Library/InputManagers
a crash can be exploited in some circumstances but usually not. The crash is denial-of-service but to execute arbitrary code the evil-doer will want the app to keep running
So, now what? I have PayPal's Buy Now buttons on my ecom page on my site. I've posted an alert to buyers in a nutshell, that if they've updated Safari and it crashes when clicking on BuyNow buttons to try the pre-update version of safari if possible, or to use Thunderbird. Can anyone suggest one or two browsers most compatible for Windows users?
Remove any target="paypal" code and add the following line instead:
<input type="hidden" name="shopping_url" value="http://www.yourwebsite.com/store_url/">
It's not as fast as the "pop a new window for the shopping cart" solution since it loads your store page every time, but at least it's a cleaner solution (IMHO) and Safari doesn't crash anymore.
Make sure to add this line to both your View Cart and Add to Cart buttons.
...................................................
Can someone please tell me if this is a safe fix or might it effect security or any other issues? Until Safari resolves this, I'm looking for confirmation or a no-don't-do-that reply and why.
Any other PayPal seller reports re: this issue and if so, how are you working around it?
CloseViewName:Burnum- TMO StaffPosts: 772Joined: 17 Jun 2001 Fri Dec 21, 2007 1:06 amSubject:
Marlise: FireFox is both Mac/PC compatible and isn't affected by this bug.
Although I don't work with PayPal, your workaround should be no less secure than your current code. That line you are adding looks like its telling the next page you view that your website=http://someurl so paypal can track the purchase back to you.
I'm guessing
Quote
Remove any target="paypal" code and add the following line instead:
means to simply delete any ocurance of the "word" target="paypal" and not any of the paypal code (which you'd still need to make paypal work).
Until Apple releases a fix, this is the only workaround I know of.
CloseViewName:LaurieF- TMO Forum ModPosts: 3498Joined: 15 Jun 2001 Sun Dec 23, 2007 5:42 amSubject:
The update to the security update (v1.1) has just come out - I haven't noticed any difference, but then it was working fine for me anyway.
There's no specific information on Apple's site.
Correction:
Quote
Apple wrote: Security Update 2007-009 v1.1 addresses an issue introduced in Security Update 2007-009 that may cause Safari to unexpectedly quit when browsing to certain websites.
There is no change to the security content provided in Security Update 2007-009. The security content of Security Update 2007-009 and Security Update 2007-009 v1.1 is available here
Security Update 2007-009 v1.1 will install over Security Update 2007-009, and its installation is recommended to resolve the Safari issue.
Systems that have not yet installed Security Update 2007-009 only need to install Security Update 2007-009 v1.1.
LaurieF wrote: The update to the security update (v1.1) has just come out - I haven't noticed any difference, but then it was working fine for me anyway.
There's no specific information on Apple's site.
I was surprised to see an update this morning. I too did not have any problems with the last update, but of course I installed this one.
One thing struck me after the required restart; I got a dialogue telling me that application OpenBase wanted to communicate out. I denied permission because I wasn't sure what that was. I looked in the log and saw that it has to do with the Parlient PhoneValet database. I am wondering of Apple is tightening down security.
CloseViewName:Guest Sun Dec 23, 2007 7:22 pmSubject:
Can we please just get rid of Safari? It sucks, and it makes my life as a webdev harder. Just use Firefox or IE, both are far superior browsers. Safari just opens another hole in the Mac for hackers, and since it's gotten to little exposure to date, it's just gonna keep getting worse.
CloseViewName:Intruder- TMO Mac SpecialistPosts: 2926Joined: 07 Jul 2004 Sun Dec 23, 2007 7:56 pmSubject:
Wow. The fact that you call Internet Explorer a "superior" browser pretty much destroyed your credibility right there. It is the least standards=complaint browser in existence.
Intruder wrote: Wow. The fact that you call Internet Explorer a "superior" browser pretty much destroyed your credibility right there. It is the least standards=complaint browser in existence.
Well supposedly the next version of Explorer, er it come, will be fully web standard compliant. If it really happens, then that will make the job of web designers a lot easier. Think about it, no more kludgy work-arounds so a page renders properly in Explorer. Of course MicroSoft will take credit for creating the first web standard compliant, after all they are the #1 industry innovators.
CloseViewName:LaurieF- TMO Forum ModPosts: 3498Joined: 15 Jun 2001 Mon Dec 24, 2007 3:34 amSubject:
All we need now is the Fake Steve Ballmer to come back and tell us how he took the initiative in inventing the internet…Oh, it's Christmas, and it's time for fairy tales of all colours.
CloseViewName:Guest Mon Dec 24, 2007 2:56 pmSubject:
Quote
Intruder wrote: Wow. The fact that you call Internet Explorer a "superior" browser pretty much destroyed your credibility right there. It is the least standards=complaint browser in existence.
Rest of your post is complete flamebait.
The fact that you think Safari is a superior browser to any other browser eluminates your bias and shows that your opinion is set before any analysis of fact. It isn't just IE that requires web devs to write browser specific code. I cannot count the number lines of written to specifically support FF, but both are still way better than Safari, which ignores fonts among other things. Apple thinks it has the market cornered on what a font should look like, and it take some trickery that just isn't worth my time in my opinion. If you cannot get past your pro-Apple bias, then don't bother commenting on what us web developers have to put up with. I agree that IE has its pitfalls, and yes I have certainly written code to accomodate it. Safari just worse when it comes to trying to enforce a standard look on your site. Safari itself does not display the same webpage the same way every time. I have no idea why, but sometimes it makes the right side of my page's fonts larger than they are supposed to be. Then I refesh and they get set properly, then I refresh 5 or 6 more times and it will flip flop randomly. The browser is not even standardized within itself. I have noticed this exact same effect when using my iPhone to visit websites. Please, don't let your unabashed distaste for Microsoft make you think that Safari is in any way a superior browser to any thing else. I'd even prefer Opera to it, though I kind of want that one to go away as well.
CloseViewName:LaurieF- TMO Forum ModPosts: 3498Joined: 15 Jun 2001 Mon Dec 24, 2007 3:02 pmSubject:
If you weren't so biased yourself, you would have read what he said, and not what you think he said. He didn't say that Safari was the head of the pack; it was that IE was not. That's the point. And you missed it.
CloseViewName:Intruder- TMO Mac SpecialistPosts: 2926Joined: 07 Jul 2004 Mon Dec 24, 2007 3:14 pmSubject:
Wow. Talk about building a strawman.
Please show me, EXACTLY, where I said that Safari is a superior browser to any other browser. You cannot because I never said it. you just felt the need to build a case against something that was never said.
However, if you think that IE is, in any way, the paragon of virtue when it comes to web standards then you are seriously in need of help. The web is replete with complaints, from web developers, about the standards compliance of shipping versions of IE. I can find no praise for it. Even MS, on their MSDN sites, acknowledges that they need to improve standards compliance (which they apparently are trying to do in IE8).
You apparently have a definite pro-MS bias that is clouding your view. Unfortunate for someone who is developing for something that is supposed to be platform-agnostic.
You never said that Safari was superior to any other browser. Your EXACT words were, ""The fact that you call Internet Explorer a "superior" browser pretty much destroyed your credibility right there." How does that not imply that Safari is superior to IE? Otherwise, why would anyone's credibility be destroyed for saying that IE is superior? I'm sorry, I am having trouble understanding exactly what your point was. Did you have one? How can that statement be rectified with the fact that you seem to now say you were not implying that Safari is superior to IE? Please explain it to me. I admit to not understanding what point you are making, if any. I would like to know why you think IE is superior to Safari, at this point, and why thought it wasn't superior before. I am not pro-MS, clearly I have pointed to other browsers that I find superior to Safari that MS isn't even involved with. FF and Opera are both better than Safari and I use FF as my default browser. My point was simply that even those browsers require us web devs to write code to specifically deal with their shortcomings, so the fact that IE also requires it is not in itself an indication of inferiority.
But Laurie and Intruder, perhaps you can explain to me how if IE is not superior to Safari, how is Safari also not superior to IE? Maybe I get it now... you are saying the are exactly equal? Is that it? I dunno, my head hurts.
CloseViewName:Guest Wed Dec 26, 2007 5:26 pmSubject:
No, it still doesn't work. If in your opinion, they are equals, which is the only way to rectify the fact that saying IE is not superior and Safari is also not superior, then one's credibility could not be destroyed for suggesting that IE is superior. It would only take a slight advantage for IE that you did not include in your opinion that concluded they were exactly equal. And one would think that if you were of the opinion that they were equal that suggesting that IE is superior you would not have reacted with such a drastic statement. Sorry, but I cannot understand how you have any logical consistency in your arguments.
CloseViewName:LaurieF- TMO Forum ModPosts: 3498Joined: 15 Jun 2001 Wed Dec 26, 2007 6:56 pmSubject:
Learn some logic, and some maths. Although English is not itself a logical language (qv Language Myths by Laurie Bauer), it is easily possible to argue logically, and mathematically, in English.
By saying that
Code
IE not > Safari
does not imply that
Code
IE = Safari
It can also mean (as I believe) that
Code
IE < Safari
. QED
And don't say things like, "Sorry, but I cannot understand..." You aren't sorry. It's a pathetic response.
I like Firefox; I also like OmniWeb; I haven't used Opera very much at all, so I can't comment on it. I do not like IE, for so many, many reasons. I use Safari because only on very rare occasions can I not see what I want to see. For me, and probably the majority of Mac users, Safari is, at the very least, adequate. In my opinion, it's actually very good.
Why design web pages that are best viewable on IE, but difficult to view on other browsers? why do it specifically for any other? why not just make them best viewed on any browser?
(I'm assuming that, since you haven't registered, you, Guest, are the same person as - well - Guest. If you aren't, enter and sign in please)
CloseViewName:Guest Thu Dec 27, 2007 4:02 pmSubject:
Laurie, you are going in circles now, and I really do not understand what your point is. At this point, I am not sorry, as you have turned yourself completely around just to bicker. What you are now saying is that if by saying IE is not superior, and they are not equals, then my original assumption was correct: that he was implying that Safari is superior. I didn't write it with math forumlas, maybe that's why you got confused, but when I assumed that, you told me that was never said. Therefore, using your own math there, the only other logical conclusion is that he was implying they were equals. What other logical conclusions are there? He clearly thinks that IE is not superior, so they are either equals or Safari is superior. My first assumption, based on one's credibility being destroying for saying that IE was superior, was that Safari therefore must be superior in his opinion. You "corrected" me, and so I went with the other logical conclusion, that he was saying they are equals, which you now also say is incorrect. What else is there? Stop going in circles. Clearly there is no logic left in your arguments.
CloseViewName:Guest Thu Dec 27, 2007 4:06 pmSubject:
BTW Laurie, you didn't explain anything, you just wrote in code exactly what I had written in English.
"Perhaps you can explain to me how if IE is not superior to Safari, how is Safari also not superior to IE? ... you are saying the are exactly equal?"
Then you're code, you showed that if IE is not superior to Safari, then those are the only two logical options. Thank you for using your code to prove my point.
Please, show us how to do that Intruder. You seem to use that term a lot, without understanding its meaning. Then you go on to do it yourself. Here is your strawman.
Quote
Intruder wrote:
However, if you think that IE is, in any way, the paragon of virtue when it comes to web standards then you are seriously in need of help.
Quote
Guest wrote: It isn't just IE that requires web devs to write browser specific code. ... I agree that IE has its pitfalls, and yes I have certainly written code to accomodate it.
Please show me EXACTLY, no, show me where IN ANY WAY, I said that IE is the "paragon of virtue", IN ANY WAY. I won't even limit it to web standards, just where did I ever say that IE was tops? I only said it's better than Safari, but I even listed FF first, "Just use Firefox or IE, both are far superior browsers."
Thank you Intruder, for showing us all how to build a strawman argument. It is easy to debunk that IE is a paragon of virtue when it comes to web standards (which I never even said) than it is to show that Safari is superior to Firefox or IE, or even Opera.
OWC: Mercury Elite FW800/FW400/USB2/eSATA up to 2.0TB TOP-RATED Solutions offer High Performance, Reliable storage for all your data storage needs. 500GB $159.99, 750GB $199.99, 1.0TB from $299.99