Windows Safari beta riddled with security holes

Apple loves to gloat about the viruses and security holes that frequently hit Windows software, but with its newly-released Safari browser beta for Microsoft’s operating system, the iPod maker certainly isn’t setting a good example. As CNet reports, security researchers managed to find security holes in the Windows version of Safari within hours of the browser’s release.

One vulnerability, which was uncovered by researcher Aviv Raff in just a few minutes using publicly available software, is a memory corruption error that could be exploited to allow the execution of malicious code. Security researchers David Maynor and Thor Larholm, too, found bugs. In a blog entry, Maynor explains, “I’d like to note that we found a totl [sic] of 6 bugs in an afternoon, 4 DoS and 2 remote code execution bugs. We have weaponized one of those to be reliable and its diffrent [sic] that what Thor has found.”

The researchers don’t say whether the bugs also affect the MacOS X version of Safari, but this certainly doesn’t bode well for Apple’s first effort in the Windows browser world—as much as Apple might boast that its engineers “designed Safari to be secure from day one.”

Comments closed
    • Hattig
    • 12 years ago

    Maynor’s a rather dubious fellow to be honest, there’s plenty about his “never disclose” method of reporting these holes, which strangely all seem to result in him getting blogs hits and not much more.

    Still, I’m sure there are plenty of holes, although one has already been traced to Windows’ URL handler rather than Safari, seems that Safari needs more checks on the data.

    Seems that this is what the Beta program is for – there are bound to be platform differences that need to be coded for and this beta will catch them. It’s clearly marked as a beta, so I don’t know what the issue is (if Apple are told the issues and they’re fixed in a timely manner, another problem with that Maynor fellow is his childish refusal to disclose the details, so they can’t even be independently validated).

    As for OS security, that’s a different thing. Apple have gained from having a sensible base OS and platform, but I’m sure there are holes a-plenty in their proprietary higher level stuff.

    • Detaer
    • 12 years ago

    Flaws in a beta? SHOCKING NEWS.

      • Palek
      • 12 years ago

      Inconcievable!!!

    • hellokitty
    • 12 years ago

    Apple is clueless when it comes to security.

    The only reason they are somewhat secure is because no malware programer gives a crap about 5% of the population using Macs.

      • wesley96
      • 12 years ago

      Do you have facts to back this up, or are you just Appletrolling?

        • Sniper
        • 12 years ago

        It’s well known THAT’s why Apple doesn’t have many security holes. No one gives a crap!

          • Reldey
          • 12 years ago

          Yeah, who wants your iPod music collection, or your shitty garage band mixes?

          People that create viruses want business information, credit cards, social secuirity numbers and what not.

          Windows double as an entertainment and business solutions, which is why more hackers choose to go with windows. (and because the ratio of windows to macs is 6 to 1)

    • VooBass
    • 12 years ago

    It’s Apple BS like this that makes me loathe Apple. Some nice products (their iMac/G3-G4 products were flat out garbage but Intel has helped them become competitive) but the company itself exists by keeping the sub-100 IQ crowd on an IV of lies and misinformation.

    • blastdoor
    • 12 years ago

    Apple made a mistake by including Safari on Windows in the keynote and by suggesting that they plan to compete in the Windows browser space.

    They should have pitched this as a tool for developers to make sure their stuff will run on macs and iphones. It should have been a low key announcement, not included in the keynote.

    Over time, once they worked out all of the kinks, they could have tried to launch it to a broader audience of Windows users. But it was a big mistake to do that now.

    In a karma-kind of way, they sort of deserve this — I’m annoyed at all of the resources being diverted away from OSX development to iPhone development. In some ways, this serves them right.

    • provoko
    • 12 years ago

    haha

    • Chrispy_
    • 12 years ago

    Of course it’s riddled with security holes, it’s running on Windows.

    MacOS is safer than windows because hackers can’t be arsed to dig around for Mac software flaws when the same amount of effort will allow them to crack/hack/exploit an audience 20 times larger if they aim at Windows.

    It’s nice to see the Apple-propagated myth that “Mac programming is more secure” overturned by this simple, yet telling, empirical data.

      • steelcity_ballin
      • 12 years ago

      I’d bet that MacOS is just as vulnerable as anything else, but consider the payoff. Someone who wants to write something malicious isn’t going to target small game like MacOS users, they will target the largest audience they can, Windows users.

        • Chrispy_
        • 12 years ago

        Exactly what I mean. MacOS is only safer because it’s considered small-fry by most hackers.

        • Fighterpilot
        • 12 years ago

        Given how malware writers love to sign their exploits and boast about them on haxor websites and chat rooms,wouldn’t the fame of being “The Guy who hacked OSX” be a pretty coveted title?It would certainly establish their “leetness” in the malware community and raise them to a standout level amongst the hordes of script kiddies attacking Windows.
        The idea that they don’t target OSX because of the small user base seems to be a bit of a red herring in that respect….

          • barich
          • 12 years ago

          There’s a fundamental difference between viruses and spyware. Very few people are writing spyware for fun. It’s a money thing. And there’s very little money to be made by infecting Mac users.

            • Fighterpilot
            • 12 years ago

            umm….The article mentions security flaws allowing remote code execution, the vector is a virus not spyware.
            Unless Mac users are a poor bunch then I suspect that individually there’s as much money to be made off them as Windows users…..

            • TheTechReporter
            • 12 years ago

            “The Guy who hacked OSX”?
            Newsflash: OS X _has_ been hacked before. It’s not uncharted territory or anything.

            _Individually_ there may be as much money to be had, but seriously, who cares about _that_?
            More victims = more money; the dollars per capita is really irrelevant to malware authors.

    • Corrado
    • 12 years ago

    Its called a Beta for a reason. People seem to think that just because something is released, that it is ‘finished’ when its VERY CLEARLY labeled a beta. They WANT you to find these holes so they can fix it up before its ‘final’

      • Thresher
      • 12 years ago

      Hence the “bug” icon at the top.

        • Flatland_Spider
        • 12 years ago

        That’s for reporting websites that don’t render correctly not bugs in the actual program. Firefox has a similar toolbar button that just has to be added from the customize menu.

      • indeego
      • 12 years ago

      Don’t tout security then in your marketing! I’d be fine with a functionally buggy browser, yet secure, it shows that security is top priority for the development.

      But this was an alpha product and it shouldn’t have been releasedg{<.<}g

        • Mithent
        • 12 years ago

        Indeed.. it’s one thing to accept that a beta version will have flaws, and quite another to release a public beta with major security problems. In my view, a public beta is a version which has gone through its major testing, and so they want the public to find small machine- or website-specific errors before release, not generally one with so many flaws that 6 bugs are discovered in hours.

    • flip-mode
    • 12 years ago

    This whole event has generate a lot of hype. It doesn’t seem that exciting to me.

    • Vrock
    • 12 years ago

    I’m sure Apple will blame the security problems on Windows instead of Safari.

      • Justice
      • 12 years ago

      Or at least the fanboi’s will.

      • bhtooefr
      • 12 years ago

      Post #33, lol.

    • Willard
    • 12 years ago

    Apple really does want to be like MS!

    • herothezero
    • 12 years ago

    Do they affect OSX also? That’s what would be interesting.

    Safari on Windows is far from interesting.

      • Flatland_Spider
      • 12 years ago

      Safari on MacOS is far from interesting.

      It would be one thing if it could render ActiveX code but it can’t, so I’m stuck using IE or swithcing to Windows when I need to access stuff written in ActiveX.

      Firefox is on all of the platforms that I use, so I just use that instead.

      • Flatland_Spider
      • 12 years ago

      Oops! Double post.

    • BobbinThreadbare
    • 12 years ago

    security through anonymity doesn’t work on windows.

      • DASQ
      • 12 years ago

      I think the phrase you’re looking for is “security through obscurity”.

    • nagashi
    • 12 years ago

    It’s a beta; give them a break. Beta software has bugs. Most GA software has bugs.

    Judge em 4 months after it’s officially released.

      • lemonhead
      • 12 years ago

      Never! This is the anti-apple establishment site.

      Agreed. I don’t think anybody will be using this after a few minutes anyway. Sounds like almost an alpha, just released to coincide with the dev conf.

      • Sniper
      • 12 years ago

      y[

        • Reldey
        • 12 years ago

        agreed.

        yeah four months AFTER all of your billing information was taken from some malware that waltzed in on your web browser.

      • sigher
      • 12 years ago

      Normally a company does the testing of software BEFORE release, especially if it’s potentially damaging to release it with holes, don’t be fooled by vista’s example into thinking it’s normal to release beta software as being ready.
      And yes even public beta’s should not have big holes into people’s privacy but should have smaller bugs that less damaging I think.

    • Ricardo Dawkins
    • 12 years ago

    a few words need spelling check..here and there on the news item.

    the vowels on your keyboard aren’t in good shape, man.

      • Cyril
      • 12 years ago

      Make that the vowels on David Maynor’s keyboard. 😉

    • Ricardo Dawkins
    • 12 years ago

    jeje..this thing is better than IE with the security holes…jeje

    FF FTW. fp!

      • axeman
      • 12 years ago

      kekekekeke!

      • eitje
      • 12 years ago

      don’t bother w/ axeman, making fun of your latin roots. 😛

Pin It on Pinterest

Share This