Safari Security Claims Ignite Controversy

Just hours after Apple Inc. released a Windows version of Safari on Monday, security researchers had uncovered more than half a dozen vulnerabilities in the browser beta, including at least three that could let attackers grab complete control of the PC. PC World's Erik Larkin isn't surprised that Safari would become a security risk. But Apple's claims about the new browser's security have touched a nerve with security researchers: Two of the researchers blamed Apple's "false claims" about security and what they called its "hostile attitude" toward bug finders for the rush to dig up flaws.

First off the mark was David Maynor of Errata Security, who posted notice of a bug about two hours after Apple made Safari 3 available for Windows. By the end of the day, Maynor had racked up six bugs. Four could be exploited to crash the browser and/or PC in a denial of service; the other two, Maynor claimed, were remote execution vulnerabilities. Maynor, who clashed with Apple over a demonstration of a wireless hack on a MacBook at last summer's Black Hat security conference, didn't hesitate to take a shot at the Cupertino, Calif. company. "I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."

View: The full story
News source: PCWorld

Report a problem with article
Previous Story

Internet TV to get Silverlight

Next Story

EU operators bemoan Apple's iPhone arrogance

40 Comments

Commenting is disabled on this article.

Its a freaking beta for got sake... Every software has vulnerabilities being beta, first off, and seond off, being ported to a totally different OS platform.

Dang... oh and I'm a freaking Windows fan till the day I die. But its not fair to blaim something for what it is not (yet).

Btw, yes Safari is very [censored] ugly...

This beta is definately not ready for the public. I have installed it on 3 machines. 2 of the installs work (sometimes). The program seems to conflict with certain system configurations.

Screenshot

I have seen this problem on more than one system (my machine at work and a friends). I should note that the above problem is not a crash. This is how Safari looks when I launch it (everytime). I also tried reinstalling it. The new browser also seems to crash alot when it uses plugins. Apple will ofcourse blame the plugins for this (it uses firefox plugins!). I noted several crashes when trying to view online video sites that use flash players. However, these same sites do not crash when Firefox 2 is used. I am using Safari right now on my mac, but I feel that Safari should remain on its original platform where it belongs.

maybe it's apple's secret goal to make safari full of flaws and blame the bugs on windows.

make false claims in their commercials to sway the technically challenged to switch to mac

well it is just a beta... what a surprise, it has vulnerabilities! seriously, what software these days DOESNT have vulnerabilities. ive been trying it and its actually not bad, but i dont think its "the best browser ever" according to apple. in fact, its far from it. it doesnt even utilize my back and forward buttons on my ****ing mouse.

Cyranthus said,
well it is just a beta... what a surprise, it has vulnerabilities! seriously, what software these days DOESNT have vulnerabilities. ive been trying it and its actually not bad, but i dont think its "the best browser ever" according to apple. in fact, its far from it. it doesnt even utilize my back and forward buttons on my ****ing mouse.

You misunderstood... When Apple says something is 'great' or the 'best ever' or the 'most advanced' it just means that it exists. You have to remove all the adverbs and the adjectives that aren't a color hue from their press releases...

Indeed, Cyranthis definately misunderstood. No-one is shocked that a peice of apple software has flaws, in fact they are expected of any software. What most people are commenting on is the arrogance of apple in declaring their product "the best" and "secure from day one".

I have been using the product for about a two days. I don't see many rendering problems. It hasn't actually even crashed yet. I am running it under Vista with 1gig of memory (the apps takes between 60 to 80mb). I don't like it as well as Firefox, but come on guys...

I dont think anyones being overly harsh here. There are many complaints/issues of major stability problems under Vista. I used it in XP and didnt have any serious problems, besides it being the ugliest browser Ive ever seen. :P

I couldn't even drag my bookmarks around in it to rearrange them without it freezing. Once again, my PC is Apple free.

Safari for Windows is a sorry excuse for a piece of Windows software anyways, even for a BETA product. All I see is random characters on every website as well as Safari's user interface and I can't even open its Preferences without it crashing every single time. I've tried pre-alpha versions of other web browsers that were more stable and reliable. I think Safari for Windows has potential but that beta version is a pretty bad start in my opinion.

Hey now, I don't see any random characters!!

I see large gaps of no characters at all... Before it crashes, that is.

I agree... Firefox, then Phoenix, in its pre-1.0 versions had less severe bugs than what Safari presented to me.

David Maynor lost all creditability with his last stunt. He obviously has an agenda. It is good to put security vulnerabilities on the table but it best to do it in a responsible way.

His quote ""If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor." wreaks of more arrogance a irresponsibility than anything Apple has done.

"wreaks of more arrogance a irresponsibility than anything Apple has done"

Come again? He reported flaws; Apple, instead of saying "we f0cked up", spun it as "it's not our fault". I wouldn't want to report anything to them, either.

betasp said,
David Maynor lost all creditability with his last stunt. He obviously has an agenda. It is good to put security vulnerabilities on the table but it best to do it in a responsible way.

His quote ""If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor." wreaks of more arrogance a irresponsibility than anything Apple has done.

How is he helping security? Do you think anymore than 10% of people who may actually use Safari will ever get the message of the vulnerabilities?

By publicizing the vulnerabilities he is merely bringing attention to himself rather than helping create an environment that is more secure. He also refuses to report issues to Apple because he doesn't like the way the treat the report and how they respond to him... that is arrogant and irresponsible. How about be responsible and do your due diligence. He is supposed to be a researcher, not a hacker. Report the issue to Apple and let them know that in 30 days the issues will be made available to the public.

betasp said,

How is he helping security? Do you think anymore than 10% of people who may actually use Safari will ever get the message of the vulnerabilities?

By publicizing the vulnerabilities he is merely bringing attention to himself rather than helping create an environment that is more secure. He also refuses to report issues to Apple because he doesn't like the way the treat the report and how they respond to him... that is arrogant and irresponsible. How about be responsible and do your due diligence. He is supposed to be a researcher, not a hacker. Report the issue to Apple and let them know that in 30 days the issues will be made available to the public.

Isn't that how the mac survives? Just ignore any security risks and don't report the ones you find. Just ignore the missing wall on the building. It's raining outside but pretend it's still there. If you ignore it, no one will notice.

shift4 said,

Isn't that how the mac survives? Just ignore any security risks and don't report the ones you find. Just ignore the missing wall on the building. It's raining outside but pretend it's still there. If you ignore it, no one will notice.


You post seems a bit sarcastic. Apple does not "ignore" security risks, if they did there would not be security patches. If someone finds a flaw they want it fixed within days, which is not reasonable. Even MS has moved to 30 day patch routines. I am sure Apple has some sort of ranking/queuing system to determine what needs to be patched. Just because they don't make a particular issue a top priority does not make it less important to report it to them. I also tend to not fault a company for downplaying an issue since that may help keep a person from focusing on that issue to create a virus/worm. MS and even Linux tend to do that...

markjensen said,
Hey, it's beta. I have been told that this is all ok. :)

Just slap a "beta" label on it, and hide behind that word.

Then we no longer need beta's right?

Powerless said,
Then we no longer need beta's right?

There's nothing wrong with betas but there is something wrong with making a press release about your beta fully knowing its gonna be all over the news then crying "Beta!" when bugs are found.

markjensen said,
Hey, it's beta. I have been told that this is all ok. :)

Just slap a "beta" label on it, and hide behind that word.

Actually, who cares if it's "beta" ... The exploits are reported to work in OSX ... -THAT- version isn't beta, now is it? =P

Poof said,
Actually, who cares if it's "beta" ... The exploits are reported to work in OSX ... -THAT- version isn't beta, now is it? =P

bbuuuuuuurrrrrrnnnnnnnnn

I hope this will at least enlighten the people who think that everything made by apple is secure.
It also gives Apple less reason to bitch about Microsoft since even THEY can't write secure software.

But no doubt the Apple marketing Machine will spin this around and we'll see a press release from them soon saying something like "We wouldn't have this problem if windows was more secure", you know, like they did when their ipods were found to be harbouring viruses.

OMG get off you high horses. Apple is deliberately being targeted because the only people with the expertise capable of exposing such floors use windows and now crapple is brining software to their doorstep and challenging them by saying that safe from day 1. Steve's smugness/ arrogance is going to cost with security analysts threatening not to reveal such floors to vendors who put so much marketing and spin on things.

payback is sweet

PS windows vista is the most secure commercial operating system by secunia reports.

That was in no way the moral of this story. :p

It's even in the preamble: ;)

Security researchers have already found eight bugs in the Windows version of Safari Apple released on Monday. They're blaming Apple's "hostile attitude towards security researchers" for the problems.

That's pretty much what the researchers are trying to tell you, not that it's strange that they found bugs.

Jugalator said,
That was in no way the moral of this story. :p

It's even in the preamble: ;)

That's pretty much what the researchers are trying to tell you, not that it's strange that they found bugs.

it's tellign me mac is in denial and always has been when it comes to security, but yes "but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well" tells me that pople actually try hack winodws stuff.

this says to me that the reason that Mac OS doesn't suffer from more security issues, is because of less people trying to hack it. Otherwise surely the four Mac and PC vulnerabilities would have been found earlier?

I disagree with the fact that there are no advanced security features in OS/X, although there could be more...

I totally agree with you, 100%, on both points.

Apple making Windows software that is a hot target will be a very big headacke for them IMO.