There is no browser that is totally secure. There is no server that is totally secure. There is no desktop, network or data repository that is fully secure. If you give enough time, money and minds, eventually it can be hacked into.

Having said that, there are some things that one would expect to be, at least not vulnerable. One such thing is the browser address bar. We all know about phishing and other stuff, but address bar spoofing is something that is very dangerous.

The latest version of the safari browser running on iOS – (5.1), has this issue. Users of iPhones, iPads, and iPod touch devices running Safari on iOS 5.1 should beware of this security issue that involves address bar spoofing.

The issue was discovered by David Vieira-Kurz of MajorSecurity.net, and involves “an error within the handling of URLs when using javascript’s window.open() method.”

In other words, when you click something on a page and if the page opens a new window, what you see in the address bar may not be the actual site. We are not even talking about tricky URLs designed to fool naive users (something like www.wellsfargobank.com.loanapplication.mortgage.1.com.au), we are talking about plain url www.apple.com or www.yourbank.com being spoofed. Your address bar can read this, but the actual site can be loaded from another location in an iFrame, looking exactly similar to this.

MajorSecurity.net has this demo page. If you test this on a SAFARI browser running on an iOS 5.1 device you will be able to see the security threat.

MajorSecurity.net Demo Page

But we went ahead and decided to test this on other environments. The same issue can be replicated on the following

Safari running on any version of iOS.
Safari on iPhone 3GS and iOS 4.
Safari on iPod 2G running iOS 4
Safari on iPhone 4S running iOS 5.0
Safari 4.0.4 running on Mac Snow Leopard 10.6.2
Safari 4 running on 24 inch iMac on snow leopard 10.5.x
Safari 5.0.6 running on a iMac on Snow Leopard 10.5.8

and so on..

This is quite dangerous and at this point we conclude that this seems to be a problem with Safari browser itself, not the iOS operating system. We will be testing Safari 5 on macs and update this post if there is an issue.

NO ISSUES WITH FIREFOX
On the other hand this demo page does not cause the issue in Firefox 3.6 browser and upwards. Makes you wonder if Firefox is a more secure browser! We are not even considering any version of IE because it is not worth it!

MajorSecurity.net has the following

Solution
=============
Users should upgrade to a newer version as far as the vendor has supplied a patch.

Timeline
================
2012-03-01, vulnerability identified in iOS 5.0
2012-03-01, vulnerability reproduced with iOS 5.1
2012-03-02, vendor has been informed
2012-03-03, vendor response
2012-03-20, advisory published

Update:

Safari 5.0.6 also has this issue. This demo page is loading an iFrame scaled for iOS device, but you can easily change that to fill the entire screen without borders and scrolling, making it appear to be the actual page.

Imagine the nightmare Paypal and Banks have to go through, if a rogue element were to attempt this exploit.

The current update from Apple is 5.1.4 for Safari, which relates to Mac OSX Lion. Not sure if this update fixes this issue for users running the Lion operating system, but there are millions of users who bought a Mac in the last few years, who are likely to be on Safari 5.0.6 and below on Snow Leopard. It is highly likely that most of them did not do a paid upgrade to OSX Lion. In that case there are still potential millions of users who are vulnerable using “their latest” available version of Safari. Apple should not leave them behind (assuming Safari 5.1.4 fixes this issue for Lion users). Hopefully we will get a security update from Apple soon!

The Mac 10.6.8 update addresses the following

• Enhancements to the Mac App Store to get your Mac ready to upgrade to Mac OS X Lion.
• Resolves an issue that may cause Preview to unexpectedly quit.
• Improves support for IPv6.
• Improves VPN reliability.
• Identifies and removes known variants of MacDefender malware.
• Corrects timezone data in iCal for Lisbon-Portugal.
• Adds the ability to use Kerberos authentication to a web proxy server.
• Fixes an issue when saving documents from Xcode or TextEdit when using an NFS home directory.
• Fixes an issue when importing certain media files into Final Cut Pro.
• Includes RAW image compatibility for additional digital cameras.
• Mac OS X v10.6.8 also includes fixes provided in the Mac OS X v10.6.7 Snow Leopard Font Update:
• Addresses an issue in which some OpenType fonts don’t display correctly in certain applications.
• Resolves issues printing from Preview.
• Addresses an issue with PDF files not opening in third-party PDF viewing applications.
• Resolves invalid font errors when printing to PostScript printers.

Apple released the 10.6.8 Mac OS X update yesterday. Here is the summary of what it is intended for.

The 10.6.8 update is recommended for all users running Mac OS X Snow Leopard and includes general operating system fixes that enhance the stability, compatibility, and security of your Mac, including fixes that:

- Enhance the Mac App Store to get your Mac ready to upgrade to Mac OS X Lion
- Resolve an issue that may cause Preview to unexpectedly quit
- Improve support for IPv6
- Improve VPN reliability
- Identify and remove known variants of Mac Defender

For detailed information on this update, please visit this website:http://support.apple.com/kb/HT4561.
For information on the security content of this update, please visit:http://support.apple.com/kb/HT1222.