The Omni Group
These forums are now read-only. Please visit our new forums to participate in discussion. A new account will be required to post in the new forums. For more info on the switch, see this post. Thank you!

Go Back   The Omni Group Forums > OmniWeb > OmniWeb Bug Reports
FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
Omniweb subject to javascript injection from QT HREFTrack Thread Tools Search this Thread Display Modes
You've probably seen the headlines, there's an interesting XSS attack going on at myspace using a malicious QuickTime movie to infect myspace sites.

Here's a good description of the basic technique that uses a QT movies to execute a HREFTrack, the HREFTrack being some javascript.
http://www.gnucitizen.org/blog/backd...cktime-movies/

The interesting thing (to this forum) would be that this technique doesn't work in Safari. It does however execute javascript in Omniweb, which surprised me since OW utilizes so much of WebKit.
You can access this test movie to see if your browser displays a benign pop-up http://rdiv.com/downloads/jim/pop-up.mov

I'm not sure whether this is a Safari security feature or lack of javascript support . . . and is this a correctly functioning feature or hole in OmniWeb.
 
This is a good question.

In general, whenever Apple releases a Security Update via Software update, one of the things usually updated is Safari, to fix security holes.

There are also frequent security updates to Firefox, from the Mozilla people.

My question is, what about OW? Are fixes from Apple sufficient to fix the same WebKit flaw in OW, or does Omni need to fix each hole just like Apple?

It would seem from the above post that things fixed in Safari doen't automatically get fixed in OW, which makes me a bit concerned. Not that there are too many security flaws, but it makes me feel better when Apple or Mozilla issue patches regularly and to address major flaw announcements.
 
I have only recent versions of Safari and OW, but apparently even 1.x versions of Safari are not executing this javascript.
 
It depends on the security issue but usually it's our responsibility to release a patch that prevents / corrects the flaw.
 
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
Omniweb and Javascript? danica_talos OmniWeb Bug Reports 4 2013-10-26 08:39 AM
Mail clipping shortcut doesn't take subject line jlbaker OmniFocus 1 for Mac 2 2010-12-04 01:04 PM
When email comes into Omni inbox, possible to have name appear as well as subject? rshane OmniFocus 1 for Mac 0 2009-01-06 11:01 AM
Email Import to Ignore Subject Line WolfUK OmniFocus Extras 0 2008-01-23 05:31 AM


All times are GMT -8. The time now is 05:22 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.