Safari Windows Detection ... and all That Implies
Apple recently gave Windows iTunes users the option to download the Safari web browser. This move was criticized by many bloggers and security experts. What we will be discussing in this blog today is detection of the Windows Safari application and also examine how organizations could react to this situation.
Nessus plugin #31788 named "Safari Detection (Windows)" looks for Safari installed on a Windows platform. This plugin requires credentials to analyze the Windows system to see if the browser has been installed. If credentials are not available, this plugin won't report an issue.
The Passive Vulnerabiltiy Scanner can also be used to generically report the active web browser being used on any host it sees web traffic originating from. In the Security Center screen shots below, all user agents detected by the PVS have been listed:
In the screen shot on the left, only Safari browsers on Mac OS X computers are shown. On the right screen shot, a host that has a single Windows Safari client is shown among several different other browser types. The PVS also has a unique plugin (#3705) which detects the Safari browser.
I've had a few conversations with our customers about this issue and there are a few themes:
- In organizations that banned the use of iTunes, this event gives them much more evidence to support this decision. The organization should be in charge of what software gets run on a network, not the application vendor. This also gives them reason to ban other applications that might include a software delivery method.
- In organizations where iTunes use is allowed, but there is still a requirement for a standard browser such as Internet Explorer, some leniency was given to users who have been educated to accept security updates from their vendors. It could be argued that the Safari push looked like a security update.
- Some organizations are modifying their acceptable use policies to more explicitly state that unauthorized software should not be installed, even if it is from the vendor of an approved application. I've heard several comments from customers basically expecting other major software and operating system vendors to use this sort of technique.
For More Information
We've bloged in the past about enumerating various applications and finding software that should not be there on a corporate network:
- Enterprise Software Discovery with Nessus
- Detecting the Apple iPhone
- Exceeding NIST and CIS Benchmarks
- Security Metrics - Differentiating New Vulnerabilities from Change
- Active and Passive Tor detection