Security researchers: Safari for Windows not so secure

Within hours of Apple's public release of the beta for Safari 3.0 for Windows, three security researchers independently found holes within the new browser. Researcher Aviv Raff highlighted in a blog post the company's product statement, that reads: "Apple's engineers designed Safari to be secure from day one." Raff found a vulnerability, a memory corruption error that could allow an attacker to insert malicious code on a Windows machine, within three minutes using publicly available fuzzing tools.

Security researcher David Maynor, posting on his Errata security blog, said he was also able to generate a memory corruption error "in no time." By the end of the day, he was able to generate a total of six bugs--four producing a denial of service (crash), and two capable of executing remote code.

Veteran security researcher Thor Larholm wrote in his blog that he found a "0day" vulnerability in Safari within two hours. The flaw exists in how Safari handles URL protocols within Windows, causing a denial of service (crash). Larholm has published an exploit to demonstrate the flaw.

All of the vulnerabilities were found on Windows machines; none of the researchers could say whether these flaws also existed on the Mac OS.

[n3td3v]

Month of Safari Bugs (MoSB)

It is known the Month of Safari Bugs is being coordinated with elements of the underground.

Watch Full-Disclosure mailing list for more info.

n3td3v

[DMAN3k]

Worms in an Apple

Basically, if Mac OS is more popular, Mac OS will have tons more virii than Microsoft Windows. Don't we already know this? Didn't an independent security company find like 3 times more flaws for the latest Mac OS against Windows Vista and 2 times more for Windows XP?

Well, if Apple wants to go mass PC, it's gonna be bitten. Congratulations to Microsoft... eh.

[weegg]

...er...you forget the label

(Beta).

Wait till final, then let them have it.

[MikeCerm]

Apple should leave Windows alone

I'm not sure that your figures are accurate, but I totally agree that, at best, OSX is not any more secure than Vista. Only real threat to security these days is users clicking on things they shouldn't, and granting malware access to their systems. That can happen just as easily on Mac as Vista, and if Mac ever does achieve significant marketshare, you'll see infections grow.

The bigger problem I have with Apple is that they release horrible Windows software. iTunes is a bloated, often buggy mess. Quicktime is a file-association stealer, is really ugly, and fails to adopt any common Windows conventions, like being able to resize a Window from any side or corner (among others).

Also, when Apple introduces security flaws (as they have in the past with Quicktime and iTunes), rather than admitting that they can't write secure code better than anyone else, they blame the insecurity of Windows, and take forever to patch their bugs.

There are plenty of things to like about Apple, but their loathsome Windows software and arrogance about security problems will need to go if they're going to continue to grow.

[shane--2008]

umm, no

no, it won't. Apache is more secure than IIS despite having
greater share. the security through obscurity myth is so old and
oft disproved that repeating makes you look foolish to everyone
else.

did an company show otherwise? no. try reporting fact rather
than asking FUD.

while the Mac OS has millions of installs and no viruses in the
wild, Vista was hacked before it had 100,000 installs. that is
the reverse of security through obscurity...

IF safari is more prone to hacking on windows (i suspect it will
be) it will be due to the handling of calls in windows, and not in
the program itself. wait and see...

[Martin Pilkington]

Slightly more exploits, much less severe

There have been numerous cases of this sort of thing. Windows
having fewer exploits and such than Linux and OS X. For
example, there were figures for the last 6 months of 2006 that
showed Windows had 39 vulnerabilities, Red Hat Linux had 208
and OS X had 43. It seems like Windows wins by quite a way,
until you look at the severity. Windows had 12 high priority
vulnerabilities, Red Hat Linux had 2 and OS X had 1. In essence
you're more vulnerable to having your browser or email client
crash on Linux or OS X but more vulnerable to having data loss,
your system taken over etc on Windows

[setgo]

Congratulations

You were able to put a bug in a browser. Something to share with the grandkids.

[jaythree]

B - E - T - A

Look into it.

[catch23]

I would agree, except

http://blogs.zdnet.com/security/?p=286

"but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well"

That is not a beta problem.

[ArturoYee]

IE 7 vs Safari

Very FAST!

When all the bugs get worked out, its gonna be a KILLER APP!

[Rick Cavaretti]

Well, yes...

The installation of Safari on a non-native platform brings out 'all of
the fun'.

[kojacked]

BETA Schmeta

I love how all of the Apple fanboys decry "BETA!" here when Apple's software has problemsbut when Microsoft has software in beta you have no problem denouncing it as crap.

I'm not suggesting Microsoft's software is better than Apple here. I'm just saying you Apple fanboys need to think a little bit before dumping on Microsoft.

[rcrusoe]

Most of the people I know that dump on MS

are MCSE's. You know what they say?:

"Those who know Windows best, like it least".

[seannj427]

Well... it is a beta

In their defense, Apple did say its a beta. And yes in my initial tests the browser IS faster than IE. However I have removed until Apple patches the holes.

-Sean

[fc11]

Update: the exploits works on Mac OSX as well.

http://erratasec.blogspot.com/2007/06/niiiice.html
Quote from this link:
I can't speak for anybody else but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well (same code base for alot of stuff). The exploit is robust mostly thanks to the lack of any kind of adanced security features in OSX, I write about it here.

[shane--2008]

yeah, right

this is from a guy who hasn't actually shown the information and
who STILL hasn't shown his supposed wifi hack.

until someone reputable says the same thing, this is BS.....

[Xenu7-214951314497503184010868]

M-A-R-K-E-T-I-N-G

Do you think sending a flawless piece of software over the unwashed masses would encourage any of them to switch to a Mac? Let them suffer a bit in their buggy little world. Let them ponder a bit what life must be like for those OS X folk with their sleek machines.

Oh, and it's beta folks, on Windows.

[fwbroke]

safari crashed on me

installed it on winXP, went to change the start page and it crashed, restart, retry, recrash .... not 2x http performance with those specs.

[ddesy]

Great here!

No problems here, plus it runs faster than IE or Firefox as promised!

Once the bugs are worked out, it might just be my browser on the PC. Plus it's still my browser on the Mac as the security issues haven't affected me.

[wildchild_plasma_gyro]

Aree your not the first

Never mind apple keep it up and you'll get there

[real_bgiel]

Yet Another Windows Browser?

Don't they have anything better to do at Apple?

[jabberwolf]

truth in HACKS its the APP not the OS

WOW will this actually teach Mac zombies a small lesson.

That most hacks and exploits are through Applications and not the OS.

And this might also show that Apple is not the best designer of programs, they really never have been.

Remember what they keep telling us, they are a HARDWARE COMPANY!! lol

[BrandonEubanks]

Okay, hold up a minute

Nobody has said that mac software is perfect. Because any
experienced Mac user knows it has its flaws. However, what is
commonly said, and I have found this to be true, is that the
flaws tend to to be less hampering than on windows. Most
"flaws" in the UI of OS X are just oversights indesign that can be
fixed through updates. For this little bit of trouble, you get a
more robust OS that has the comfort of a, may the Mac Gods
forgive me, windows comparable GUI yet the power of a
command line driven OS.

Next, yes we are going to remind you that this is beta software.
This is in fact the purpose of releasing software to the public in
beta form. To find all of the bugs that you can't work out in a
lab. What has happened is that new age companies like Google
have ruined the term beta by leaving their finished software
labeled as beta. Now, everyone thinks that just because it says
beta doesn't mean that it won't run well. That is exactly what
beta means. It will not run as well as the finished product you
are expecting.

As a note, I am using Safari 3 on my Mac and I have only found
one bug so far. On some pages, when you download a web
based PDF file the browser quits. However, I have not seen this
enough to say that it is the browser and not the sites. Anybody
know anything about this?

[andrew77uk]

Can I believe my eyes

Of course its buggy its beta, and like stated before, the point of beta software is to iron out bugs. Someone asked does apple have nothing better to do? Well yes probably, but think out side the box. Releasing mac apps on the pc is great marketing for apple, the safari version on the mac will have more features, and if people like safari enough it my spark their interest in looking to get an apple mac.