Showing posts with label safari. Show all posts
Showing posts with label safari. Show all posts

Friday, March 18, 2011

Apple talks about the slow web apps



The controversy swells on Nitro, the JavaScript engine found in Safari Mobile from iOS 4.3. Earlier this week, we noticed that the web app were 2 to 2.5 times slower than the same site displayed in Safari.

Shortly after a study by Blaze Software said loud and clear that a Nexus S averaged 52% faster than a 4 iPhone to surf the web. However, this study was not conducted directly through Safari, but in a WebView.

These various data have not failed to create a little controversy, which once will not hurt, drove Apple to break the silence. One of his spokesmen, Trudy Miller, confirmed that the web views do not include all optimizations for Safari. Therefore, the study of Blaze Software is partly inaccurate. It is true that the iPhone's browser is slower than that of Android. By cons, running web app (thus bypassing the browser) is actually much faster on Android.

So why web apps are they deprived of Nitro and the lack of support for the HTML5 cache? For John Gruber, we must not see evil everywhere and think that the way the Californian Company focuses on native applications to web applications.

The real problem for Apple is safety. Unlike its predecessors, Nitro is a JavaScript engine that includes the time compilation (JIT). However, a JT needs to have the ability to mark pages in RAM memory as executable. However, unlike Mac OS X, Apple iOS prohibited on grounds of safety. Such a mechanism could lead to hijacked the execution of unsigned code.

In other words, if Safari 4.3 is under iOS much faster, there is a significant part-cons: if someone manages to exploit a vulnerability in its browser, then it can do much more damage than before. One can imagine that Apple has enough confidence in its browser to integrate such a possibility.

For Gruber, it is more likely that Apple will not stop there. He believes that to generalize Nitro web applications, there should be a web application to run JavaScript in a process separate and independent, a bit like Safari on Mac and PC that creates a separate process for Flash. In theory, this is what Apple is preparing for Webkit 2, whose project was announced last April: "WebKit2 is designed primarily to support the separate processes, where the Web content (JavaScript, HTML, etc.). made his living in a separate process [...] this model is comparable to Google Chrome, the chief dissimilarity that we have built straight into the structure, and it is easy to get to other browsers.

Sunday, January 30, 2011

Walt Mossberg - Wall Street Journal



"Although this is an evolution rather than revolutions as the first model, the changes made by Apple are generally pleasant and positive, the device worked well. For most average users not techies, I recommend against many competing tablets I have tested so far, especially with entry-level price remains attractive. "

"Placed on a table between the old and the iPad, Motorola XOOM, the iPad 2 gives them an air puffy. Its surface is not even at the height of the side buttons of the first model. And although the weight difference is not huge (601 g against 680 g on the model Wi-Fi, ndr), Mossberg has still found a significant improvement when taking in hand the iPad 2.

Same comment as regards the speed of operation, no major differences, but clearly discernible gain, applications will launch a little faster and the whole is very reactive "It has never crashed during my tests, contrary all tablets Android that I tested. Given other tests, Mossberg was probably not too forced on the new iMovie and GarageBand, more prone to crashes.

Some items are subject to criticism, and are found in most reviews. "His camera takes mediocre pictures" If the video quality is considered "decent" Mossberg that Apple offers regrets cameras "disappointing" when it includes new applications and photo opts for quality.

On autonomy, it has not found the score of the previous model. A little over 10 hours cons iPad 11.30 with a continuous play of video, with Wi-Fi and 3G active and screen brightness at 75% Consolation Xoom on the same test takes less than iPad 2. But he could hold his office for 48 iPad using various applications (Mail, books, FaceTime, Twitter, Safari, etc.).

Also a critique on the new design, flatter and more rounded edges that make it a little trickier connecting accessory. Nevertheless it is to his taste for the best tablet on the market for the average user.

Saturday, December 4, 2010

HTML5 video: they redid the game?



Google has decided to remove the H.264 support in its browser within two months. The reason stated for this choice: the promotion and support of open formats to the detriment of the open standard (but not least the owner) what is H.264.

Here is another episode in the long battle that pits two camps around the HTML5 video tag. WebM supporters are surprised to dream that such support is crucial to switch things ... The Free Software Foundation does not hide his enthusiasm after the announcement. But despite the undeniable weight of Google, it will take much to tip the current balance of things.

Let's start by estimating the forces in place. In the field of computer browsers, only Safari and Internet Explorer remain in the camp of H.264, while Firefox, Opera and now Chrome (which was previously the only browser to support both formats) are in the camp WebM. Regarding the effective support of HTML5, only IE9 (0.46% market share), Safari 4 + (5.41%), Firefox 3.5 + (21.09%), Opera 10.5 (2%) Chrome and 3 + (9.8%) support the video tag, at least among the browsers on your computer. This still represents a minority of all browsers currently used.

Because we must not omit mobile devices, particularly iOS, whose inability to read from Flash was one of the drivers of the adoption of H.264 on the web. If not iOS assumes "only" 1.69% market share of operating systems (all machines together), it is nonetheless the backbone of mobile platforms, a highly strategic area. Other mobile OS also offer all native support for H.264, with hardware acceleration that makes reading more energy efficient.

Tuesday, November 23, 2010

Safari, a victim of his age?



But if there's one application that one might be tempted to apply this perspective, it's Safari. A French window all the more sensitive it is open to a world where hostility is not lacking. And then, Apple has fallen behind Google and its sensitive Chrome: it is fully designed to isolate processes from each other and HTML rendering extensions, is the concept of sandboxing, confinement in bins sand, literally.
Safari for Mac could give the impression to use the sandboxing for plug-ins like flash, but isolation is not complete - it is just there to prevent the component to crash the browser.

Mac OS X Lion could change somewhat the situation: a new process is associated with Safari, and it could be exclusively dedicated to rendering HTML, Safari Web Content (read: Safari 5.1: separate processes and WebGL). But it remains far from that Chrome isolates each tab in a dedicated process. And for Miller, Apple has "failed - or did not seek" to make regularly available for Safari updates made to its rendering engine, WebKit. As to better illustrate this assertion, Chrome has already enjoyed a patch for the vulnerability exploited in the last Pwn2Own to make him fall.

Wednesday, November 17, 2010

Faults! Yes, but it is still necessary to exploit ...



But it is on one side and holes on the other, the possibility of exploiting them. Mac OX 10.5, Apple introduced two devices to protect its operating system against this: the ASLR and DEP. The first, and Address Space Layout Randomization, is to introduce an element of chance in the distribution of data areas in virtual memory. And thus limit the possibilities of executing malicious code introduced in memory overflow the buffer, for example. DEP completes the first device by prohibiting the execution of injected code still in memory areas reserved for data. The DEP is closely tied to the hardware architecture of the computer.

In Mac OS X 10.5 and 10.6, the ASLR is too partial. Charlie Miller underlines that "there are many things that are not random, as the location of the dynamic linker [which deals with memory and seek to link shared libraries when an application is launched], or stack and heap [two areas in memory where some data are stored temporarily]. "And for the DEP, the situation is no better: it only applies to 64-bit process. Charlie Miller, he must report this to the world in the face: "In Windows, ASLR is complete and they have the DEP." And if, for Apple, the move to 64 bit improves security for Miller " this makes the circumvention of DEP that more difficult. "But not impossible.

Certainly, as pointed out Charlie Miller, Apple has made available to developers - and uses in Safari - tools from further strengthen security: "canary." These are reference values that are placed in a buffer and to verify the data stored in the stack to monitor potential buffer overflows, the first data corruption in this case to just be the canary. But again, the expert pointed out that using this type of security systems based on the specific compiler may require a migration to environment and development is not entirely suited to large projects with a strong history.

Wednesday, November 10, 2010

Apple and security issues



The reputation is not everything. And, as usual, Mac OS X did not fail to fail at the last edition of Pwn2Own at CanSecWest. This time, it is the French Security VuPen who managed to find and exploit a flaw in WebKit HTML rendering engine of Safari - in particular.

It must be said that VuPen has made a specialty of so-called "intrusion friendly" or, in other words, the penetration test. Among the clients VuPen Security include including Microsoft, Shell, Sagem or IGN. Their job is the testing of security policies applied to information systems. Teams efficient enough that during the 2009 conference on Security Workshop VuPen has sold out and has attracted the interest of representatives from the retail, telecommunications, or the Army.

For IOS, it's even Safari which served as a gateway. And it's a regular who has taken on the task: Charlie Miller. Security analyst at Independent Security Evaluators, Charlie Miller has been awarded four times during Pwn2Own. Twitter, he describes himself as "Mr. Apple 0-day", ie one that runs from previously unknown flaws in the software firm at the apple. A specialty of Miller, the Fuzzing. An approach to vulnerability research developed mainly by Ari Takanen, CTO of Codenomicon Finnish. Jared DeMott, Charlie Miller, he co-authored a book dedicated to the subject, "Fuzzing, for software security testing and quality assurance", published in 2008 by Artech House. At the end of the book, a case study is also devoted to the search for vulnerabilities in QuickTime Player.

The basic concept of Fuzzing is relatively simple: it is looking application interfaces accessible from the outside and saturate the corrupted data - in the sense that they are not consistent with what the application is supposed to address - and then see what happens ... In a way, we can see a parallel here with the compromise of websites SQL injection: in both cases, the software is not adequately protected against attempts injection data does not correspond to that it must wait for a legitimate user ...

Last year, Charlie Miller stressed in particular that OS X "has a broad surface attack involving open source components, third party components closed [with Flash], and Apple closed components [Preview, etc.].." Each of these software elements can be an attack vector. Recently, as part of an interview with German magazine Heise, he explains his stubbornness to attack Apple's software: "I use various Apple products and it is in my interest that they are as safe as possible [. ..] If you listen that Apple (or Mac fan boys) you believe that Macs are impossible to hack, which is not the case. "

Especially for him, it is important to know the faults to measure the level of software security, it does not boil down to this: "you must take into account those who threaten you, the resources available to them. "So, for him too, right now," a Mac with Snow Leopard is the safest choice [to surf the Internet] mainly because of its market share. "But the Mac's OS is it more secure? No, he answers without reservation: "In my experience, it was easier to find and exploit vulnerabilities in Mac OS X systems in modern Windows (Vista and 7)." Indeed for him, Web browser is the safest Chrome, Google. And recommend the passage of any extension disable unnecessary.