Webkit is the foundation of Apple Safari and Google Chrome. Yesterday both companies announced security patches for their browsers, many related to Webkit. Here is a sample of just one from the Apple Safari update page.

WebKit

CVE-ID: CVE-2010-1398

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in WebKit’s handling of ordered list insertions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of list insertions. Credit to wushi of team509, working with TippingPoint’s Zero Day Initiative for reporting this issue.

Compare that with the format for the same bug on the Google Chrome update page.

[43487] High Memory corruption in text transforms. Credit to wushi of team509.

That is it, just one line. 43487 looks like a tracking reference number that is internal to Google. I gathered this bug is the same one as the the one above from the credit reference to wushi. No CVE? No platform reference? I clicked on the number 43487, which points to code.google.com, so I could read more and confirm details…

Your client does not have permission to get URL /p/chromium/issues/detail?id=43487 from this server.

This is not very impressive. Moreover, it is inconsistent from earlier Chrome security notices that were done well. June 9, 2009 for example explained two WebKit security patches. Here is the first one:

Google Chrome’s Stable channel has been updated to version 2.0.172.31 to fix two security issues in WebKit.

CVE-2009-1690 Memory corruption
A memory corruption issue exists in WebKit’s handling of recursion in certain DOM event handlers. Visiting a maliciously crafted website may lead to a tab crash or arbitrary code execution in the Google Chrome sandbox. This update addresses the issue through improved memory management.

Severity: High. An attacker might be able to run arbitrary code within the Google Chrome sandbox.

Mitigations:

* A victim would need to visit a page under an attacker’s control.
* Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.

That was more like a normal patch announcement and clearly more useful.

Apple did a nice job. Why did Google switch to the weaker format and use internal links? Interesting also to note that the thing getting attention is not how little information they give but that they paid a $2000 bounty for just one flaw.

[$2000] [39985] High Cross-origin bypass in DOM methods. Credit to Sergey Glazunov.

Schools in crisis. Stretched budgets and overcrowded classrooms. Aasif Mandvi explores the risks of teaching US children Chinese culture and language:

Maps of cities are now being generated to differentiate where people are taking photos, based on geotag data. This is a view of San Francisco (blue for locals, red for tourists):

Locals and Tourists #3 (GTWA #4): San Francisco

Originally uploaded by Eric Fischer

Locals take photos in residential areas while tourists take photos in touristic areas. Should we be getting more insight out of this map?

What if we break it down by tourist home town, by gender and by age? How do tourists from Korea compare with Japan, or Germany versus France? It would seem the map becomes more informative the more sensitive/privacy data is available…and that is exactly the kind of pressure many companies feel when thinking about how to visualize their databases of customer information.

Microsoft is releasing new marketing information as part of their campaign to kill IE6.

An IE8 security video is now available on their site, and on some TV stations, which mentions three features:

• Domain highlighting
• Smart screen filter
• Blacklist of malicious sites

The video, to be frank, does not work for me. Nothing is memorable. I know I am not the intended audience but I think most people would find the music bland, the actors bland (they just sit and stare at a screen), and the information extremely dry. Terms like click-jacking and XSS are just tossed in at the end of sentences without any context. They really lost me with the phrase “right out of the box”. It should be obvious to everyone there is no box for IE8 and installation and configuration is still required.

Microsoft’s best hope for this video could be that some parodies emerge and get viral (pun not intended).

My suggestion for improvement? They should have tried to produce something more like Virgin’s pre-flight warning video. It delivers security information and safety features in a very memorable and enjoyable format: