- home
- reviews
- news
- downloads
- cnet tv
On TV.com: 24 Movie is On the Clock
- log in
- join CNET
- welcome,
- my profile
- log out

CNET.com

The Download Blog

Click Here

June 12, 2007 6:13 AM PDT

Security researchers: Safari for Windows not so secure

by Robert Vamosi

Within hours of Apple's public release of the beta for Safari 3.0 for Windows, three security researchers independently found holes within the new browser. Researcher Aviv Raff highlighted in a blog post the company's product statement, that reads: "Apple's engineers designed Safari to be secure from day one." Raff found a vulnerability, a memory corruption error that could allow an attacker to insert malicious code on a Windows machine, within three minutes using publicly available fuzzing tools.

Security researcher David Maynor, posting on his Errata security blog, said he was also able to generate a memory corruption error "in no time." By the end of the day, he was able to generate a total of six bugs--four producing a denial of service (crash), and two capable of executing remote code.

Veteran security researcher Thor Larholm wrote in his blog that he found a "0day" vulnerability in Safari within two hours. The flaw exists in how Safari handles URL protocols within Windows, causing a denial of service (crash). Larholm has published an exploit to demonstrate the flaw.

All of the vulnerabilities were found on Windows machines; none of the researchers could say whether these flaws also existed on the Mac OS.

Originally posted at News Blog

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.

Topics:: Browsers and extensions,; Security and spyware

Tags:: security,; Safari,; browser,; Apple

Share:: Digg; Del.icio.us; Reddit; Facebook; Twitter

Recent posts from The Download Blog: Log in with your face; See what's under McAfee's new interface; Tales2Go: Get on-demand audiobooks for children; Microsoft, Google split over browser bug bounty; Mozilla plans to drop Mac OS X 10.4 support; TweetDeck gets a few tweaks; Adobe promises faster Flash on Macs; Security software maker Vitamin D exits beta

Add a Comment (Log in or register) (32 Comments)

prev
next

Month of Safari Bugs (MoSB)
by n3td3v June 12, 2007 6:47 AM PDT: It is known the Month of Safari Bugs is being coordinated with elements of the underground.<br /><br />Watch Full-Disclosure mailing list for more info.<br /><br />n3td3v; Like this Reply to this comment

Worms in an Apple

by DMAN3k June 12, 2007 6:47 AM PDT

Basically, if Mac OS is more popular, Mac OS will have tons more virii than Microsoft Windows. Don't we already know this? Didn't an independent security company find like 3 times more flaws for the latest Mac OS against Windows Vista and 2 times more for Windows XP?<br /><br />Well, if Apple wants to go mass PC, it's gonna be bitten. Congratulations to Microsoft... eh.

Like this Reply to this comment

...er...you forget the label
by weegg June 12, 2007 7:14 AM PDT: (Beta).<br /><br />Wait till final, then let them have it.; Like this

Apple should leave Windows alone
by MikeCerm June 12, 2007 7:23 AM PDT: I'm not sure that your figures are accurate, but I totally agree that, at best, OSX is not any more secure than Vista. Only real threat to security these days is users clicking on things they shouldn't, and granting malware access to their systems. That can happen just as easily on Mac as Vista, and if Mac ever does achieve significant marketshare, you'll see infections grow.<br /><br />The bigger problem I have with Apple is that they release horrible Windows software. iTunes is a bloated, often buggy mess. Quicktime is a file-association stealer, is really ugly, and fails to adopt any common Windows conventions, like being able to resize a Window from any side or corner (among others). <br /><br />Also, when Apple introduces security flaws (as they have in the past with Quicktime and iTunes), rather than admitting that they can't write secure code better than anyone else, they blame the insecurity of Windows, and take forever to patch their bugs. <br /><br />There are plenty of things to like about Apple, but their loathsome Windows software and arrogance about security problems will need to go if they're going to continue to grow.; Like this View all 3 replies Hide replies
Processing

umm, no
by shane--2008 June 12, 2007 9:56 AM PDT: no, it won't. Apache is more secure than IIS despite having <br />greater share. the security through obscurity myth is so old and <br />oft disproved that repeating makes you look foolish to everyone <br />else.<br /><br />did an company show otherwise? no. try reporting fact rather <br />than asking FUD.<br /><br />while the Mac OS has millions of installs and no viruses in the <br />wild, Vista was hacked before it had 100,000 installs. that is <br />the reverse of security through obscurity...<br /><br />IF safari is more prone to hacking on windows (i suspect it will <br />be) it will be due to the handling of calls in windows, and not in <br />the program itself. wait and see...; Like this

Slightly more exploits, much less severe
by Martin Pilkington June 13, 2007 10:27 AM PDT: There have been numerous cases of this sort of thing. Windows <br />having fewer exploits and such than Linux and OS X. For <br />example, there were figures for the last 6 months of 2006 that <br />showed Windows had 39 vulnerabilities, Red Hat Linux had 208 <br />and OS X had 43. It seems like Windows wins by quite a way, <br />until you look at the severity. Windows had 12 high priority <br />vulnerabilities, Red Hat Linux had 2 and OS X had 1. In essence <br />you're more vulnerable to having your browser or email client <br />crash on Linux or OS X but more vulnerable to having data loss, <br />your system taken over etc on Windows; Like this

Congratulations
by setgo June 12, 2007 6:49 AM PDT: You were able to put a bug in a browser. Something to share with the grandkids.; Like this Reply to this comment

B - E - T - A

by jaythree June 12, 2007 7:16 AM PDT

Look into it.

Like this Reply to this comment

I would agree, except
by catch23 June 12, 2007 7:47 AM PDT: <a class="jive-link-external" href="http://blogs.zdnet.com/security/?p=286" target="_newWindow">http://blogs.zdnet.com/security/?p=286</a><br /><br />"but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well"<br /><br />That is not a beta problem.; Like this View all 2 replies Hide replies
Processing

IE 7 vs Safari
by ArturoYee June 15, 2007 1:11 PM PDT: Very FAST!<br /><br />When all the bugs get worked out, its gonna be a KILLER APP!; Like this

Well, yes...
by Rick Cavaretti June 12, 2007 7:28 AM PDT: The installation of Safari on a non-native platform brings out 'all of <br />the fun'.; Like this Reply to this comment

BETA Schmeta

by kojacked June 12, 2007 7:38 AM PDT

I love how all of the Apple fanboys decry "BETA!" here when Apple's software has problemsbut when Microsoft has software in beta you have no problem denouncing it as crap.<br /><br />I'm not suggesting Microsoft's software is better than Apple here. I'm just saying you Apple fanboys need to think a little bit before dumping on Microsoft.

Like this Reply to this comment

Most of the people I know that dump on MS
by rcrusoe June 12, 2007 8:33 AM PDT: are MCSE's. You know what they say?:<br /><br />"Those who know Windows best, like it least".; Like this View reply Hide reply
Processing

Well... it is a beta
by seannj427 June 12, 2007 7:53 AM PDT: In their defense, Apple did say its a beta. And yes in my initial tests the browser IS faster than IE. However I have removed until Apple patches the holes.<br /><br />-Sean; Like this Reply to this comment

Update: the exploits works on Mac OSX as well.

by fc11 June 12, 2007 7:54 AM PDT

<a class="jive-link-external" href="http://erratasec.blogspot.com/2007/06/niiiice.html" target="_newWindow">http://erratasec.blogspot.com/2007/06/niiiice.html</a><br />Quote from this link: <br />I can't speak for anybody else but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well (same code base for alot of stuff). The exploit is robust mostly thanks to the lack of any kind of adanced security features in OSX, I write about it here.

Like this Reply to this comment

yeah, right
by shane--2008 June 12, 2007 9:51 AM PDT: this is from a guy who hasn't actually shown the information and <br />who STILL hasn't shown his supposed wifi hack.<br /><br />until someone reputable says the same thing, this is BS.....; Like this

M-A-R-K-E-T-I-N-G
by Xenu7-214951314497503184010868 June 12, 2007 8:37 AM PDT: Do you think sending a flawless piece of software over the unwashed masses would encourage any of them to switch to a Mac? Let them suffer a bit in their buggy little world. Let them ponder a bit what life must be like for those OS X folk with their sleek machines.<br /><br />Oh, and it's beta folks, on Windows.; Like this Reply to this comment

safari crashed on me

by fwbroke June 12, 2007 8:58 AM PDT

installed it on winXP, went to change the start page and it crashed, restart, retry, recrash .... not 2x http performance with those specs.

Like this Reply to this comment

Great here!
by ddesy June 12, 2007 9:21 AM PDT: No problems here, plus it runs faster than IE or Firefox as promised!<br /><br />Once the bugs are worked out, it might just be my browser on the PC. Plus it's still my browser on the Mac as the security issues haven't affected me.; Like this

Aree your not the first
by wildchild_plasma_gyro June 12, 2007 9:13 AM PDT: Never mind apple keep it up and you'll get there; Like this Reply to this comment

Yet Another Windows Browser?
by real_bgiel June 12, 2007 10:34 AM PDT: Don't they have anything better to do at Apple?; Like this Reply to this comment

truth in HACKS its the APP not the OS
by jabberwolf June 13, 2007 10:43 AM PDT: WOW will this actually teach Mac zombies a small lesson.<br /><br />That most hacks and exploits are through Applications and not the OS.<br /><br />And this might also show that Apple is not the best designer of programs, they really never have been.<br /><br />Remember what they keep telling us, they are a HARDWARE COMPANY!! lol; Like this Reply to this comment

Okay, hold up a minute
by BrandonEubanks June 14, 2007 9:06 PM PDT: Nobody has said that mac software is perfect. Because any <br />experienced Mac user knows it has its flaws. However, what is <br />commonly said, and I have found this to be true, is that the <br />flaws tend to to be less hampering than on windows. Most <br />"flaws" in the UI of OS X are just oversights indesign that can be <br />fixed through updates. For this little bit of trouble, you get a <br />more robust OS that has the comfort of a, may the Mac Gods <br />forgive me, windows comparable GUI yet the power of a <br />command line driven OS.<br /><br />Next, yes we are going to remind you that this is beta software. <br />This is in fact the purpose of releasing software to the public in <br />beta form. To find all of the bugs that you can't work out in a <br />lab. What has happened is that new age companies like Google <br />have ruined the term beta by leaving their finished software <br />labeled as beta. Now, everyone thinks that just because it says <br />beta doesn't mean that it won't run well. That is exactly what <br />beta means. It will not run as well as the finished product you <br />are expecting.<br /><br />As a note, I am using Safari 3 on my Mac and I have only found <br />one bug so far. On some pages, when you download a web <br />based PDF file the browser quits. However, I have not seen this <br />enough to say that it is the browser and not the sites. Anybody <br />know anything about this?; Like this Reply to this comment

Can I believe my eyes
by andrew77uk June 15, 2007 4:55 AM PDT: Of course its buggy its beta, and like stated before, the point of beta software is to iron out bugs. Someone asked does apple have nothing better to do? Well yes probably, but think out side the box. Releasing mac apps on the pc is great marketing for apple, the safari version on the mac will have more features, and if people like safari enough it my spark their interest in looking to get an apple mac.; Like this Reply to this comment

(32 Comments)

prev
next

Search Download Blog posts

About The Download Blog

Download.com editors cover the world of downloadable software and beyond.

Add this feed to your online news reader

The Download Blog topics

download: Site map; Help center; Our software policies; Newsletters; Submit software

Popular topics: Apple iPhone; Apple iPod; Cell phones; CES 2010; GPS; LCD TV

CNET sites: CNET Site map; CNET TV; Downloads; News; Reviews; Shopper.com

More information: Newsletters; CNET Mobile; CNET Widgets; Customer Help Center; RSS; CNET API; About CNET

© 2010 CBS Interactive. All rights reserved.
Privacy Policy (UPDATED)
Terms of Use
Mobile User Agreement
Visit other CBS Interactive sites:

#networkSites {display:none;}BNET | CHOW | CNET.com | CNET Channel | GameSpot | International Media | mySimon | Search.com | TechRepublic | TV.com | ZDNet

My Lists
My software updates
log in | join CNET