Security flaw hits Safari (Windows) only hours after release

Security researcher Aviv Raff claims to have found the first security vulnerability in Apple's Safari browser on Windows only hours after the software was released. Raff tested the application against a standard browser security testing tool. "A first glance at the debugger showed me that this memory corruption might be exploitable. Although I'll have to dig more to be sure of that," he wrote on his blog.

Apple unveiled a beta of a Windows version of its Safari web browser on Monday. The final product is scheduled for release in October. In a keynote presentation at Apple's Worldwide Developers Conference in San Francisco, chief executive Steve Jobs claimed that the browser would run up to twice as fast as Microsoft's Internet Explorer, but did not mention Internet Explorer's security record.

View: The full story
News source: Vnunet

Report a problem with article
Previous Story

VMware Windows-on-a-Mac product close to launch

Next Story

HD DVD sales spike in wake of price cuts

61 Comments

Commenting is disabled on this article.

Kill two birds with one stone, Apple, will ya?

a) Yet another browser for Windows. Yay.

b) Yet another awesome Apple software port to Windows. Y'know, like iTunes, Quicktime...people just can't get enough of those.

The security of Apple's software is no more or less secure than Microsoft's software.

Now we'll get some real insight (although limited) into just how more "secure" Apple's software is than Microsoft's.

Simply put, it's not. :-)

It has nothing to do with a Windows theme, that's for certain. I've been playing with this bug all morning and my gut tells me that it's related to the lucida grande font version on the user's computer.

If I remove my lucida grande font, I get the empty menu which appears in the above screenshot. If I use the version of lucida grande that I had previously, the font looks Russian however. If I remove lucida grande and hope that Safari installs it, well, it doesn't seem to.

It's an odd one...

Look at my screenshot of my first run of Safari! Notice the absence of any text; also the addressbars and search bars are not clickable! BWHHAHAHAHHAHAHHA!

Good start Apple! (y)

You try running a beta browser on a hacked copy of Windows, and you don't expect odd behavior and blame the browser? That's just plain stupid, end of story.

roadwarrior said,
You try running a beta browser on a hacked copy of Windows, and you don't expect odd behavior and blame the browser? That's just plain stupid, end of story.

You're either being blinded by your bias or you have no comprehension on the hacked uxtheme file and it's lack of effects on an install. The problems being exhibited are not caused by a hacked uxtheme. Hacking the uxtheme ONLY removes a security check, nothing more.

roadwarrior said,
You try running a beta browser on a hacked copy of Windows, and you don't expect odd behavior and blame the browser? That's just plain stupid, end of story.

it doesn't llook like a hacked copy to me, it's vista by the looks of it, i bet it just doens't work on vista (not much does)

whocares78 said,

it doesn't llook like a hacked copy to me, it's vista by the looks of it, i bet it just doens't work on vista (not much does)

there have been some stupid comments but your definitely takes the cake!!!!

offroadaaron said,

there have been some stupid comments but your definitely takes the cake!!!! ;)

how is that comment stupid. is it that it doesn't look like a hacked copy (i was being sarcastic, i.e how the hell does the guy know it's a hacked copy just by looking at a screen shot) is it the not much works on vista thing, cause i don't know if youve tried but not much does or was it the looks liek vista bit, well it does a bit

All you people who are defending apple should write Steve a(nother) thank you letter. Hopefully he'll find time to read yours. But don't get your hopes up, he has 'tens of dozens', of thank you letters to read from his iTunes fan base.

thank you letter? more like hate mail!

the first thing to happen when i install the thing, it crashes Firefox (i still can't figure out how).

and this thing is a typical apple application: rather than using the existing framework, they try to re-invent the wheel. as soon as the thing opens, it prompts me for my domain password (i tested this on a pc on work). every other browser on the planet "just works" with domain authentication, apple brings their keychain madness with them.

they also brought along their own font smoothing engine. everybody else can use cleartype and dodge the overhead, but not Apple.

sheets? i hope this is a place holder for an actual dialog. if i wanted swishing dialogs, i'd stick to the mac (where i don't even use Safari anyway).

Safari on Windows is pretty much that, Safari on Windows. a straight-up port, right down to the Mac OS technologies they felt we needed (Windows is keyboard accessible by design; we didn't need you to not make your app. conform and then pretend to offer me the ability to tab between links and fields).

take this one off the website, Apple. this one just ain't ready for primetime.

I had no issues using Firefox when I installed it. It does, however, install Quicktime right along with it. I wasn't able to get Quicktime to start up after I installed the beta. They may want to look into that. Nothing Apple makes conforms to windows look and feel.

what i dont get is WHY apply is making a webbrowser for windows? ... Firefox/Opera pretty much cover all people need in terms of alternatives.

Testing purposes. No need to buy Macs for testing their sites in Safari, or illegally hacking OS X to run on non-Apple machines or in virtual machine environments.

ThaCrip said,
what i dont get is WHY apply is making a webbrowser for windows? ... Firefox/Opera pretty much cover all people need in terms of alternatives.

There is a little thing called the iPhone being released soon. It's user base will more than likely also include Windows users. Safari et al. will be needed for integration and synchronization.

Safari why do we need another web browser? Is Safari even good on the MAC? I tried on a mac for like 2-4 hours and was not happy with it and installed Firefox.

I'm plenty surprised enough that Apple even bothered releasing Safari for Windows.

Apple does need to get a grip on the security today. No computer is 100% safe out on the internet, and Mac OS X has its own vulnerabilities. Also, their Quicktime is quite often exploited.

But I did happen to like Safari. Much more polished than its predecessor.

I used Safari for about 5 minutes, didn't like it, installed it. I don't know what system they benchmarked it on but it was not faster then IE7 or Firefox.

You completely misunderstood Steve!! Sometimes he leaves words out to make a bad thing sound like a feature. According to most of the comments I've read it crashes 2x+ faster than Firefox or IE. :cheeky:

The flaw is in Safari, not in Windows. Apple software is buggy, oh yes, but their bugs are only revealed when Apple actually steps it's foot into a large user base, such as that which is Windows. There are simply more users to find the bugs in the first place.

Lt-DavidW said,
The flaw is in Safari, not in Windows. Apple software is buggy, oh yes, but their bugs are only revealed when Apple actually steps it's foot into a large user base, such as that which is Windows. There are simply more users to find the bugs in the first place.

i think he menat welcome to the world of windows, where people actually do try and find seurity holes in your software because it's instaled on more than 5 computers LMAO

Raff tested the application against a standard browser security testing tool.

So...why didn't Apple do this before releasing this to the public?

maybe noone told them it was a "standard tool" i want to know what toold they used, i ididn't know there was a standard tool to check this.

I honestly think Apple (and any company, for that matter) needs all the security experience it can get. I'm sure Safari on Windows will give them more than plenty. ;)

Certainly not at the user's expense, but, hopefully they respond quickly to such matters once it goes out of beta.

I agree, I never saw any news regarding that safari will be release it for windows too. I was shocked when I saw Safari for windows.

beta or not, security is not something you add, it has to be there by design. partly because of disciplined programmers using safe functions or checking for buffer overflows and partly because of a well laid out design fase in which as many possible security risks are evalued

It's really has plenty of bugs, in there past 24 hours I had all kind of bugs with Safari Beta on Windows.

But still it's Beta. Small program and we still have to wait 4 months while they finish it. Everything is okay, just make it really good.

Heh, I guess Apple didn't test it enough. Now that they are becoming a Windows software developer they are going to have to deal with all the issues that come with Windows users/systems. Ah well.

saxondale. said,
Beta.
Which means what, exactly?

Many people are installing it and using it. They could be affected. Apple needs to take this seriously and correct. No big deal, really, as all software goes through this process.

But calling something "beta" when it is released to the public (and announced with no small degree of fanfare, I might add) does not excuse it from letting bugs go unfixed, or to justify their existence.

At this point, I would expect a fix to be issued soon. Same as I would expect of Microsoft or a Linux vendor.

markjensen said,
Which means what, exactly?

Many people are installing it and using it. They could be affected. Apple needs to take this seriously and correct. No big deal, really, as all software goes through this process.

But calling something "beta" when it is released to the public (and announced with no small degree of fanfare, I might add) does not excuse it from letting bugs go unfixed, or to justify their existence.

At this point, I would expect a fix to be issued soon. Same as I would expect of Microsoft or a Linux vendor.


This is what neowin says: This is BETA software!, please use caution when installing it on your system

If you're installing it, you should be very aware what problems you could face. You would have to be stupid to install it and not expect problems to occur, this is why its not forced upon you. Apple are not forcing it upon people to install it, they are simply allowing people at their own will to install it. Anyone who thinks this should be perfect from the ready shouldnt be installing such things.

saxondale. said,

This is what neowin says: This is BETA software!, please use caution when installing it on your system

If you're installing it, you should be very aware what problems you could face. You would have to be stupid to install it and not expect problems to occur, this is why its not forced upon you. Apple are not forcing it upon people to install it, they are simply allowing people at their own will to install it. Anyone who thinks this should be perfect from the ready shouldnt be installing such things.

+1 Agreed

I guess you mis-understand what my point is. Or I have not made myself clear enough.

I expect bugs in "beta" software. I don't expect software widely released with such fanfare to be "beta"; that is just using the term as an excuse or cover.

I expect software to be released to the public like this to have been "tested [...] against a standard browser security testing tool", as per what the discoverer claimed to have done. A standard tool. I expect this sort of basic quality control of a product before announcing a public release. This would have identified the security problem to Apple before they released this "beta" to the world.

That said, the problem is out. The only thing left is to expect Apple to fix it quickly.

Quote - saxondale. said
...
If you're installing it, you should be very aware what problems you could face. You would have to be stupid to install it and not expect problems to occur, this is why its not forced upon you. Apple are not forcing it upon people to install it, they are simply allowing people at their own will to install it. Anyone who thinks this should be perfect from the ready shouldnt be installing such things.
Two things. First, I am glad I do not fall under your definition of "stupid", as I haven't installed it. No interest in it, as this time. Second, there is a difference between "problems" and "security flaws that are readily identified with standard tools".

markjensen said,
I guess you mis-understand what my point is. Or I have not made myself clear enough.

I expect bugs in "beta" software. I don't expect software widely released with such fanfare to be "beta"; that is just using the term as an excuse or cover.

What "fanfare"? It was featured at a developers convention almost as a footnote. The fact that tech sites like this picked up on it is hardly a reflection of the general population of the internet. Most people online don't even know what a web browser is, or that there are different ones, they just know that they click on a certain icon to get to their web pages.

roadwarrior said,

What "fanfare"? It was featured at a developers convention almost as a footnote. The fact that tech sites like this picked up on it is hardly a reflection of the general population of the internet. Most people online don't even know what a web browser is, or that there are different ones, they just know that they click on a certain icon to get to their web pages.

its on the freakin BBC :P

roadwarrior said,
What "fanfare"? It was featured at a developers convention almost as a footnote. The fact that tech sites like this picked up on it is hardly a reflection of the general population of the internet. Most people online don't even know what a web browser is, or that there are different ones, they just know that they click on a certain icon to get to their web pages.
Even my wife heard this, and she isn't an Apple person, nor a geek like me (and most of Neowin, I imagine).

Despite anyone's opinion on this issue up to now, the only thing to do is wait for Apple to fix this in a timely manner.

markjensen said,
And a big, fat link right on Apple's main page.

And how many people who aren't already interested in Apple (or found out about the browser from some other source) would be looking at Apple's main page just for the hell of it? Yes, some news outlets have talked about it, but I wouldn't exactly call that "fanfare" since it more than likely wasn't Apple who submitted that news to them.

roadwarrior said,
What "fanfare"? It was featured at a developers convention almost as a footnote.

ONE MORE THING IS NEVER A FOOTNOTE.

roadwarrior said,
And how many people who aren't already interested in Apple (or found out about the browser from some other source) would be looking at Apple's main page just for the hell of it? Yes, some news outlets have talked about it, but I wouldn't exactly call that "fanfare" since it more than likely wasn't Apple who submitted that news to them.
Oh, my bad, then.

A secret beta like this is perfectly OK to release without performing testing with what is claimed to be an industry standard browser security testing tool (which would have revealed this buffer overflow issue).

It's all good.

markjensen said,
Which means what, exactly?

Many people are installing it and using it. They could be affected. Apple needs to take this seriously and correct. No big deal, really, as all software goes through this process.

But calling something "beta" when it is released to the public (and announced with no small degree of fanfare, I might add) does not excuse it from letting bugs go unfixed, or to justify their existence.

At this point, I would expect a fix to be issued soon. Same as I would expect of Microsoft or a Linux vendor.

Beta means close enough to exactly the following

"Software that is very close to a final version but still has a number of knownw issues, this is "usually" released to a limited number of normal users to see if there are any unknown issues that appear on certain machines or with certian configurations, remembering almost every single PC in the world is different, either software or hardware wise, there are not a lot of machines that are completely identical, whcih means no company can possibly test every single scenario, this is why beat tests are used.

basically it is development companies saving money by gettign the public to test their software for them

Beta being beta i would assume they will fix any bugs found especially critical ones(whcih this issue may not even be, it appears from the articel he only thinks there might be an issue) as that is the purpose of beta releases. hey hasn't gmail been in beta for like it's whole life.

people that install beta software do so at their own risk and i actually woudl have expected apple to mention such on their download site, Microsoft puts discalimers all over their beta apps saying this app should bnot be installed in a production environent.

rob.derosa said,

its on the freakin BBC :P


and the whole world watches the BBC, i never even heeard of it until i read this artcle, and i don't generally go looking on apples site so it aint that big and the fact i work for a development company adn not one single person in the office had heard of this before i told them says it really aint that big a deal.

markjensen said,
Oh, my bad, then.

A secret beta like this is perfectly OK to release without performing testing with what is claimed to be an industry standard browser security testing tool (which would have revealed this buffer overflow issue).

It's all good.

IT'S BETA. you arent a programeer are you?

is claimed to be an industry standard (i am glad you put claimed), "did someoen tell apple it was industry standard" no hacking tool is industray standard, there are so many different tools that do the same thing, apople may have tried on e tool that didn't find it, you never know.

i hate apple but u can't put the blame on them once again BETA, i don't install softweare that says beta, if i want my computer to keep working.