Welcome to the MacNN Forums.

Headshot · Apr 21, 2007, 10:12 AM

(View in Safari

Kagi - Kagi

It happened with my G5, and now on my fresh new Intel. I thought I had some settings
wrong, and now I realized this garbage browser was flawed all along, and still is!
Try viewing the above link, and can anybody figure out why these characters are so drunk they're tripping all over each other? I mean what the hell is this?
Half of the webpages would load up like this when I used it.

Viva Firefox.

Atheist · Apr 21, 2007, 10:16 AM

Not sure if this is a joke or what... looks fine to me. You just trolling?

qnxde · Apr 21, 2007, 10:17 AM

Site displays fine for me (Safari).

Headshot · Apr 21, 2007, 10:30 AM

Trolling? Of course, there's nothing better to do on the verge of the nicest day in Chicago this year to date.

No seriously, how come 2 dif. operating systems, a PB, G5 and now this 2.66. all of which never networked or met each other. They all show Safari in this manner.

Even the Apple Start Page looks like this...!

OreoCookie · Apr 21, 2007, 10:50 AM

Looks like you have a font problem to me.
The page loads fine for me, too.

Atheist · Apr 21, 2007, 10:55 AM

Originally Posted by Headshot

...and now I realized this garbage browser was flawed all along...

Trolling? Of course, there's nothing better to do on the verge of the nicest day in Chicago this year to date.

Well.. typically when one makes such broad statements using inflammatory language it can be assumed they are flaming/trolling.

I can't explain what is going wrong. However you have to be smart enough to realize that Apple wouldn't publish their own website in a manner that wouldn't allow it to render correctly in their own browser.

The common denominator in your two computers is... you! So obviously you have done something to your installations that has affected Safari adversely.

Headshot · Apr 21, 2007, 10:56 AM

I'll do a clean install on my G5 when I get ready to sell it, so I'll check again on an unmolested machine.
Wonder if it has something to do with the 800 some fonts I use.

Headshot · Apr 21, 2007, 11:20 AM

Yeah, it's probably me. But what?

These are the possible "customizations" I employ, and I might add, cannot really live without!

You Control (all)
Unsanity Haxies
Spyder II Monitor Calibration
Imageprint RIP software

Oh well, forget it for now, I simply found Firefox to be lightyears ahead, just thought folks could use their Enigma of the Day, lol.

jasong · Apr 21, 2007, 11:58 AM

THIS is why I use this forum less and less!

Nexus5 · Apr 21, 2007, 12:10 PM

Originally Posted by Headshot

bla bla...

Unsanity Haxies

bla bla...

nexus5.

xi_hyperon · Apr 21, 2007, 12:44 PM

Originally Posted by Headshot

Yeah, it's probably me. But what?

These are the possible "customizations" I employ, and I might add, cannot really live without!

You Control (all)
Unsanity Haxies
Spyder II Monitor Calibration
Imageprint RIP software

You have your Macs littered with haxies, yet you don't test for the problem w/o the hacks installed. And then you post a thread announcing it must be Safari's problem. Makes sense to me.

Oh well, forget it for now, I simply found Firefox to be lightyears ahead, just thought folks could use their Drama Post of the Day, lol.

Corrected for accuracy.

JKT · Apr 21, 2007, 12:53 PM

800 fonts - there is probably a conflict or corruption issue. Try clearing your font caches and validating your fonts.

OreoCookie · Apr 21, 2007, 01:03 PM

@OP
You have basically answered your own question. It's ok if you prefer Firefox (I prefer Camino to Firefox, but hey, choice is good

), good. But don't blame Safari when it's not at fault here.

Chances are that it's a fonts issue and I would check your fonts as you might experience problems with other apps as well.

Madrag · Apr 21, 2007, 01:34 PM

I've had the same happen to firefox

It was a font conflict. Does that mean that you'll stop using firefox?

mduell · Apr 21, 2007, 01:52 PM

This is why I wouldn't use Safari: MacBook hacked in contest at security event | CNET News.com

It's too integrated into the OS to be secure... sounds like another browser I used to know.

Chuckit · Apr 21, 2007, 02:02 PM

Originally Posted by mduell

This is why I wouldn't use Safari: MacBook hacked in contest at security event | CNET News.com

It's too integrated into the OS to be secure... sounds like another browser I used to know.

Because it's impossible for a bug to cause arbitrary code execution if a browser isn't "too integrated into the OS to be secure"?

hldan · Apr 21, 2007, 02:36 PM

Originally Posted by mduell

This is why I wouldn't use Safari: MacBook hacked in contest at security event | CNET News.com

It's too integrated into the OS to be secure... sounds like another browser I used to know.

Dude, common, get real with that. Don't take that hack too seriously. I'm suprised anyone would. It took a contest for someone to hack into Safari. Unlike the other browser we all know, I.E. no effort is necessary to jack it up.
Apple has been on point with their security updates and Mac users haven't been hurt so far so one contest loses all trust? Get real. If that convinces you Safari is not be trusted then spend an hour using Internet Explorer on Windows logging into all of your banking websites. That will bring your trust back to Safari.

hldan · Apr 21, 2007, 02:36 PM

Originally Posted by jasong

THIS is why I use this forum less and less!

And yet you are here right now.

mduell · Apr 21, 2007, 02:45 PM

Originally Posted by Chuckit

Because it's impossible for a bug to cause arbitrary code execution if a browser isn't "too integrated into the OS to be secure"?

Originally Posted by hldan

Dude, common, get real with that. Don't take that hack too seriously. I'm suprised anyone would. It took a contest for someone to hack into Safari. Unlike the other browser we all know, I.E. no effort is necessary to jack it up.
Apple has been on point with their security updates and Mac users haven't been hurt so far so one contest loses all trust? Get real. If that convinces you Safari is not be trusted then spend an hour using Internet Explorer on Windows logging into all of your banking websites. That will bring your trust back to Safari.

Visiting a web page should never allow a remote console or arbitrary code execution. Never.

As far as it "[taking] a contest for soemone to hack into Safari" this isn't the first vulnerability like this for Safari and the contest went nowhere before they added a $10k prize in addition to the MB (one analyst suggested that such an exploit is worth $20k in the black hat market).

As I implied in my post, I don't use IE anymore. I'm not sure why you're telling me to use it.

hldan · Apr 21, 2007, 03:02 PM

Originally Posted by mduell

Visiting a web page should never allow a remote console or arbitrary code execution. Never.

As far as it "[taking] a contest for soemone to hack into Safari" this isn't the first vulnerability like this for Safari and the contest went nowhere before they added a $10k prize in addition to the MB (one analyst suggested that such an exploit is worth $20k in the black hat market).

As I implied in my post, I don't use IE anymore. I'm not sure why you're telling me to use it.

I was making a point, it was a pun. See you took that seriously about Internet Explorer as you take that contest seriously. My whole point is aside from the actual news about Mac exploits has any Mac user reported their security being jeopardized? Has anyone reported spyware from Safari? Malware? That's my point. It's been long enough where Macs have been advertised as being relatively safe for internet use and still there's no known viruses or worms.
Safari has it's issues with rendering but security is not one of it's problems.

Chuckit · Apr 21, 2007, 03:27 PM

Originally Posted by mduell

Visiting a web page should never allow a remote console or arbitrary code execution. Never.

Well, duh. Nothing should allow for unintended code execution.

Anyway, my point is that your suggestion that this is somehow inherent in Safari rather than just a common bug is unfounded. We also don't know if just visiting the Web page is enough to trigger it or what. They haven't released the details of the exploit.

Hal Itosis · Apr 21, 2007, 07:40 PM

Originally Posted by Chuckit

We also don't know if just visiting the Web page is enough to trigger it or what.
They haven't released the details of the exploit.

This from computerworld:

Dino Di Zovie, who lives in New York, sent along a URL that exposed the hole. Since the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on.

The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said.

The vulnerability won't be published. 3Com Corp.'s TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.

And this from the Fireball:

It is not specific to Safari; Firefox – and, I presume, Camino – are also vulnerable. Turning off Java in your browser should defend against it.

MindFad · Apr 21, 2007, 08:39 PM

Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

That's all we got? Hey, I'm impressed! A flaw/exploit/what-have-you in Safari is not a flaw of OS X. They don't say how much user interaction is required, nor how many actual steps of interaction need to be taken for this exploit, or what it even is.

Impressive that the Mac can just sit there and be completely fine, though. I know few people paranoid to be on the internet at all on their Windows machines, and I don't blame 'em.

OreoCookie · Apr 21, 2007, 11:56 PM

Originally Posted by mduell

Visiting a web page should never allow a remote console or arbitrary code execution. Never.

Agreed.

As I implied in my post, I don't use IE anymore. I'm not sure why you're telling me to use it.

You seem to confuse a few things about integration: OS X has integrated the rendering engine to a certain degree, it can be and is used by many other applications `for free' (e. g. AdiumX or TextMate). However, Safari itself isn't integrated. In the case of windows, it's different, IE is used as a file browser (which isn't true here) and this is actually a source of evil. However, I've read a few articles on how to replace IE's rendering engine with the gecko engine, for instance.

So the source of the problem is the way IE (and not necessarily just the rendering engine) is integrated into the OS. (A friend of mine crippled his Windows ME installation by deleting IE after installing Firefox, priceless

)

JKT · Apr 22, 2007, 02:28 AM

Originally Posted by MindFad

That's all we got? Hey, I'm impressed! A flaw/exploit/what-have-you in Safari is not a flaw of OS X.

I would say that the flaw in OS X here is that the exploit allows the hacker to take over the whole system. Fair enough (though not at all desirable) if a flaw in your browser or other software makes your home directory vulnerable, but it shouldn't be possible to own the system. This is meant to be what is different about OS X and its security cf. Windows - the contents of your home directory have always been vulnerable to malware (e.g. a trojan) ever since 10.0, but the system should remain untouched because it should be impossible for it to gain access to the root level.

Fwiw, from the descriptions I have read, all that was required was for a person to visit a specially crafted website (hence the 0 day moniker) and nothing else.

Chuckit · Apr 22, 2007, 03:45 AM

Originally Posted by JKT

I would say that the flaw in OS X here is that the exploit allows the hacker to take over the whole system. Fair enough (though not at all desirable) if a flaw in your browser or other software makes your home directory vulnerable, but it shouldn't be possible to own the system.

For clarification, I don't believe this is accurate. There is a separate challenge to gain root privileges, which has not been won to my knowledge. This one only grants user-level privileges.

Originally Posted by OreoCookie

You seem to confuse a few things about integration: OS X has integrated the rendering engine to a certain degree, it can be and is used by many other applications `for free' (e. g. AdiumX or TextMate). However, Safari itself isn't integrated. In the case of windows, it's different, IE is used as a file browser (which isn't true here) and this is actually a source of evil. However, I've read a few articles on how to replace IE's rendering engine with the gecko engine, for instance.

I don't think it's even fair to say WebKit is integrated into the system any more than, say, Ruby is integrated into the system. Both are included with the system and available for programs to use as they see fit, but it's not like WebKit has some kind of overly close relationship with the OS. It doesn't use secret APIs, and the system doesn't depend on WebKit for its operation.

JKT · Apr 22, 2007, 03:52 AM

Originally Posted by Chuckit

For clarification, I don't believe this is accurate. There is a separate challenge to gain root privileges, which has not been won to my knowledge. This one only grants user-level privileges.

You are correct - I was going on the basis of the reports I had read yesterday and it seems that they weren't entirely accurate either

OreoCookie · Apr 22, 2007, 03:22 PM

Originally Posted by Chuckit

FI don't think it's even fair to say WebKit is integrated into the system any more than, say, Ruby is integrated into the system. Both are included with the system and available for programs to use as they see fit, but it's not like WebKit has some kind of overly close relationship with the OS. It doesn't use secret APIs, and the system doesn't depend on WebKit for its operation.

That's exactly what I said, isn't it?
Also in case of IE, the problem is not the rendering engine, but that IE is so closely knit into the system (e. g. as file browser).

Chuckit · Apr 22, 2007, 03:27 PM

Originally Posted by OreoCookie

That's exactly what I said, isn't it?
Also in case of IE, the problem is not the rendering engine, but that IE is so closely knit into the system (e. g. as file browser).

I was just clarifying that even WebKit is really nothing more than a framework that's distributed with the system. There's no special "integration" going on between that and the underlying layers of OS X.

Hal Itosis · Apr 22, 2007, 06:25 PM

Originally Posted by Chuckit

There is a separate challenge to gain root privileges, which has not been won to my knowledge.
This one only grants user-level privileges.

This exploit didn't -- in-and-of-itself -- gain 'root' access, (AFAIK).

However... a few so-called "local" exploits, as yet unpatched by Apple
(vis-à-vis MOABs #5, 15 and 21) are some of the methods an admin
intruder could employ to run scripts/commands as root, without any
user ever typing (or even knowing) a single password!!!

This shows why it's less than sensible when people scoff at "local" exploits,
arguing that *physical access* trumps everything, so therefore [supposedly]
it isn't worth the bother to fix such types of vulnerabilities.

Unfortunately, as soon as someone finds some other remote entry-point,
they instantly have a tool-chest available to them for acquiring pwnership.

I am not saying this is what happened here... but it would be possible, no?
Am I correct... MOABs #5, #15 and #21 still remain intact and ready to go?

PER3 · Apr 23, 2007, 11:53 AM

Originally Posted by OreoCookie

In the case of windows, it's different, IE is used as a file browser (which isn't true here) and this is actually a source of evil.

Is a true file browser different to being able to access a file in Safari with

file:///Users/... ?

I just dropped a folder of pictures onto my Bookmarks bar in Safari and they were all accessed fine (although Microsoft Office docs didn't show up).

Just curious.

OreoCookie · Apr 23, 2007, 05:40 PM

Originally Posted by PER3

Is a true file browser different to being able to access a file in Safari with

file:///Users/... ?

I just dropped a folder of pictures onto my Bookmarks bar in Safari and they were all accessed fine (although Microsoft Office docs didn't show up).

You can view local files with Safari (well, the formats Safari can understand, e. g. various image file formats and html files), but Windows' Explorer is based on Internet Explorer, i. e. essentially IE is the Finder.

Headshot · Apr 24, 2007, 02:45 PM

Originally Posted by xi_hyperon

You have your Macs littered with haxies, yet you don't test for the problem w/o the hacks installed. And then you post a thread announcing it must be Safari's problem. Makes sense to me.

Corrected for accuracy.

Haxies that I really couldn't function without: Windowshades (remember that?), multiple desktops, RIP software for my business, etc.
How am I supposed to know this when I post this thread??? If I knew everything I wouldn't very well be here would I?
Besides look at all this wonder dialog this has opened up. And if Safari is that weak and vulnerable to be affected by these or a font-conflict (which doesn't seem to affect ANYTHING else) then I go back to my original statement: THIS IS WHY I DON'T USE SAFARI!

Makes sense to me.

Chuckit · Apr 24, 2007, 03:51 PM

Originally Posted by Headshot

And if Safari is that weak and vulnerable to be affected by these or a font-conflict (which doesn't seem to affect ANYTHING else) then I go back to my original statement: THIS IS WHY I DON'T USE SAFARI!

There are lots of valid reasons why somebody might not use Safari. I'm using Firefox right now because it's better suited to my needs here. But your misapprehensions about some weird concept of "weak software" are not one of those valid reasons.

PhotoMacUser · 04:20 AM

Guess what? I found that the standard fixed width font courier 13 does not always work well. Go to Safari>Preferences>Appearance and Change Fixed Width Font to Helvetica 13. At least that is what worked for me. You can view the changes as you view the page- refresh if necessary.

To review-Changed Fixed Width to Helvetica 13 or other common font. I hope it works for you!

JKT · Apr 26, 2007, 02:59 AM

Um, don't do that - Helvetica is not a fixed-width font. You'll break the display of some pages by choosing anything other than e.g. Andale Mono, Courier, Courier New, or Monaco (which are the fixed-width fonts that ship by default with OS X - if you've installed any others you can pick those too).

Headshot - even if Safari is the only app where your font conflict or other issue is exhibiting itself (fwiw, it won't be as e.g. other apps make use of WebKit too), you do still have a problem which needs to be solved. This isn't the first time this display issue has happened in Safari for people.

Read e.g. here for more info and a probable solution (do you have Helvetica Fractions and/or Times Phonetic fonts installed?)

JKT · Apr 26, 2007, 03:00 AM

Or here.

This Apple document might help to:

Mac OS X 10.4: Fonts list

PhotoMacUser · Apr 26, 2007, 04:17 AM

Originally Posted by JKT

Um, don't do that - Helvetica is not a fixed-width font. You'll break the display of some pages by choosing anything other than e.g. Andale Mono, Courier, Courier New, or Monaco (which are the fixed-width fonts that ship by default with OS X - if you've installed any others you can pick those too).

Headshot - even if Safari is the only app where your font conflict or other issue is exhibiting itself (fwiw, it won't be as e.g. other apps make use of WebKit too), you do still have a problem which needs to be solved. This isn't the first time this display issue has happened in Safari for people.

Read e.g. here for more info and a probable solution (do you have Helvetica Fractions and/or Times Phonetic fonts installed?)

I just want to be clear and I am not saying you are wrong. I can find nothing in the Apple documentation that says you "cannot" use something other than the Fixed width fonts for fixed width in the browser. It makes sense to use them for the reasons you site, however the worst that can happen is that certain pages won't look right. If that is the case I will open appearances and switch the font back to a Fixed Width. I do prefer my helvetica font and to this point I have had no conflicts. That's why they are "preferences" - they are my preferences. If you like or prefer Monaco or Andale or the ever popular Courier and have no problems knock yourself out.

Sprocket · Apr 26, 2007, 09:58 AM

Ahh . . . Headshot, this Kagi page looks fine to me using Safari on both PowerBooks and my iBook - all running 10.4.9. I don't understand your beef. It sounds to me you messed up some sort of setting (Text Encoding?). Consider installing a fresh copy of Safari. Consider using Pacifist for this. Google it.

Safari hack? It is a basic Java exploit (not to be confused with JavaScript). Just turn off JAVA in your browsers till a patch is offered. That's right - broweserS, as this could affect all of them. No big deal really - we went through this in the late '90s.

Have a nice day.

ramcosca · Apr 29, 2007, 11:30 PM

Originally Posted by Headshot

This is a common occurrence for me in iTunes. Don't ask me why, I just know it does that.

Don Pickett · Apr 30, 2007, 01:59 AM

It's a font issue. For me it has often been traced to the font Helvetica Fractions, which messes things up. If you've installed MS Office, or Creative Suite, they install numerous Truetype fonts which can be auto-activated and cause the problem.

BlueJungle · May 17, 2007, 05:25 PM

It's a font issue. I believe it was covered in MacWorld's May issue. I don't have access to it now, but they told a way to easily solve the situation.