News Blog

Apple has started offering Windows users its Safari 3.1 Web browser through the same online updater it utilizes for iTunes and the QuickTime video player.

With the release of Safari 3.1 on Tuesday, Apple started giving Windows users the option of downloading Safari via the Apple Software Update pop-up.

"Safari for Windows is the fastest and easiest-to-use web browser for the PC. It displays web pages faster than any other browser and is filled with innovative features -- all delivered in an efficient and elegant user interface," states Apple's message in the pop-up screen.

The move is a more aggressive play by Apple to snatch browser market share from Microsoft.

In February, Microsoft's Internet Explorer had a 74.9 percent share of the browser market in terms of usage, while Firefox had 17.3 percent, and Safari had 5.7 percent, according to figures from Net Applications, which measures Web traffic and market share.

Care for some Safari with your iTunes?

(Credit: Apple)

Mary Jo Foley at ZDNet notes that when Apple CEO Steve Jobs first unveiled Safari for Windows last June, he said that the main way Apple planned to get Safari on Windows is through its Software Update program.

"Jobs said that Apple plans to use iTunes as a distribution vehicle for Safari for Windows. He noted that there are a million downloads of iTunes a day, with 500 million of those going to Windows machines."

Following last Friday's release of Safari 3.0.2 comes a brand-new Monday morning vulnerability. Researcher E. Azizov of ITdefence in Russia posted on the Bugtraq newsgroup a demonstration of a buffer overflow in the Windows XP version of Apple's browser. Specifically, the new vulnerability affects the title buffer in Safari bookmarks. If the title of a page you wish to bookmark in Safari 3.0.2 exceeds 1,024 bytes, as soon as you save the bookmark (Ctrl+D) your computer may become compromised.

Security researcher Robert Swiecki, who two days ago disclosed a URL vulnerability within the new Safari 3.0 for Windows beta, has another. The new flaw requires a user to visit a specially crafted Web page. There, an attacker can write whatever name in the URL toolbar and fill the client browser window with arbitrary content. He provides an example (link should be viewed within Safari).

In response to other Safari 3.0 vulnerabilities, Apple yesterday released an updated version that addresses three of the public vulnerabilities. Swiecki says he tested this latest vulnerability on Safari 3.0.1 (522.12.12) running Windows 2003 SE SP2.

Security researcher Robert Swiecki disclosed yesterday another vulnerability within the new Safari 3.0 for Windows beta, bringing the total of public vulnerabilities to nine. The latest flaw allows an attacker to steal a cookie. The flaw exists in the Javascript's window.setTimeout()implementation where the content timer-triggered function is processed after window.location property is changed.

In response to other Safari 3.0 vulnerabilities, Apple today released an updated version that addresses three of the nine public vulnerabilities.

Stung by the harsh reception to Safari for Windows (beta), Apple today released Safari 3.0.1 for Windows (beta), addressing three flaws. The updated version patches CVE-2007-3186, a command-injection vulnerability that may lead to arbitrary code execution; CVE-2007-3185, an out-of-bounds memory read issue that may lead to an unexpected application termination or arbitrary code execution; and CVE-2007-2391, a race condition that may allow cross-site scripting. The patches are issued for Windows XP and Windows Vista users; these issues do not affect Mac OS X systems.

The latest version can be downloaded from Apple here.