Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Safari Beta Security Slammed; 8 Vulnerabilities Found

Macrumors said:
security researchers have found a host of security issues for both the Mac OS X and Windows versions
Click to expand...

Macrumors said:
In each incident, the researchers seemed to take issue with Apple's claim that "Apple engineers designed Safari to be secure from day one." To be fair, the software is still in beta, although the beta on OS X overwrites the user's previous version of Safari.
Click to expand...

(quoted the important info from the Macrumors post)

Some of you guys need to get a grip; this isn't a Windows-only problem, it is a Safari 3 problem. Read the post before you bother blindly trying to defend Apple and criticize Windows or play the "beta" card.

Apple shouldn't have made their security claims. Whether the software is beta or not is irrelevant. Claiming security on a browser these days is foolish; claiming anything on software you know is beta is even more foolish.

Sheesh...:rolleyes: :cool:
 
Sigh, this was so going to happen. I knew it! But then again, you can't really blame Apple for thinking like Apple. Most of the core of OSX is already secure and if you look at the vulnerabilities it involves mostly command line exploits to the host OS. Fine, so Apple was complacent on windows security and didn't do it the "Microsoft" way but I think overall this will be good. It would give Apple a chance to see how exploits and vulnerabilities appear and maybe make them a bit more security conscious. A more secure operating system is always better IMO.

Ps: Looking at Apple's page on safari. Apple seems to be more concerned with personal security (i.e Credit card info, personal information, banking?) and the like instead of these so called security vulnerabilities that have been discovered. Can they be used to steal information or compromise a secure SSL session? If they can then boo to Apple. If not, well Apple wasn't focusing on that.
 
Didn't they pulled...

...all QA ressources over to the iPhones teams, explaining the awful beta version? This quality of the first release is now a good tradition for apple software nowerdays. see (SLOOOOW) aperture 1.0, or several (CRASHING) iTunes versions.
 
rainydays said:
I still don't get why apple choose to port Safari to Windows.
Click to expand...
One word: iPhone. Jobs said that "application" development on the iPhone will take the form of AJAX-based services that run through it's web browser. That browser is Safari. By shipping Safari for windows, developers that want to deploy iPhone apps won't need to buy a Mac for their development.

I'm sure some people will see this as a mistake, claiming that those developers would've bought Macs, but I disagree. I don't think a lot of potential iPhone developers will want to go through the red-tape of getting a Mac approved for their corporate network.
poopooplatter said:
... headlines like this are popping up everywhere.

http://www.huffingtonpost.com/2007/06/12/hacked-within-hours-of-i_n_51852.html
Click to expand...
Since when did Ariana Huffington become a technology expert? And since when did her blog become anything more than a forum for political commentary?

And their sensationalist headline is pretty pointless. It implies that there's already been an exploit of some kind, even though no such thing has been demonstrated, and the article only describes a crash.
seashellz said:
I really do hate being an unpaid Beta-tester, Mr. Jobs
Click to expand...
So don't be one. Uninstall the beta and wait for it to be released.
 
excited.

I was excited to read that Safari 3 beta was out for windows. I know it is beta and not secure, but I think i will try it in my old windows computer. i love the way safari works on my mac.
I may tell my daughter to hold off on downloading it though, sounds like there are way too many problems with it.

thanks for the heads up all :D
 
savanahrose said:
I was excited to read that Safari 3 beta was out for windows. I know it is beta and not secure, but I think i will try it in my old windows computer. i love the way safari works on my mac.
I may tell my daughter to hold off on downloading it though, sounds like there are way too many problems with it.

thanks for the heads up all :D
Click to expand...

I've been running it under Parallels in my Bootcamp partition and absolutely no problems. Very fast and beautifully rendered.
 
Hmm, this website actually goes through and shows you how to craft an attack based on the loophole that Safari allows. It also requires FF be installed on the windows system. He doesn't mention that OS X is affected so I assume not.

Very very interesting read.

[EDIT: Apparantly based on the comments at the end OS X is also vulnerable to the same kind of attack]
 
I just wounder why Safari doesn't seem to like my forward, and backward buttons on my mouse, unlike Firefox, and IE.

It must just be beacuse it is also a Microsoft product.
 
Sweetfeld28 said:
I just wounder why Safari doesn't seem to like my forward, and backward buttons on my mouse, unlike Firefox, and IE.

It must just be beacuse it is also a Microsoft product.
Click to expand...

I had the same problem with a Logitech MX518 mouse...so, no, it's not only a Microsoft mouse issue. ;)
 
zero2dash said:
I had the same problem with a Logitech MX518 mouse...so, no, it's not only a Microsoft mouse issue. ;)
Click to expand...



Cool, thanks.

Its still cool that Apple did release it for Windows though. It makes it so much easier to test websites using Safari, now my friend doesn't have to call me up and make me look at things for him.
 
poopooplatter said:
Really? Do you work in advertising or PR?
Click to expand...

No, do you?

Because your geek rationalizations defending Apple's release of a POS app has little to do with the impact this will on people's perception
Click to expand...

Oh, you're so nice!

of Apple when headlines like this are popping up everywhere.
http://www.huffingtonpost.com/2007/06/12/hacked-within-hours-of-i_n_51852.html
Not to mention the pimping it's getting on apple.com.
You and your fellow nerdlings go back to blaming a stupid public for not expecting an Apple-hyped "product" to **** up their stuff.
Click to expand...

It is uncontested by me, or anything I've read in this thread, that right now Apple is getting bad PR for the bugs, and that it is a result of bugs in Safari beta. That is FACT.
It is uncontested by me, that Apple should not have "pimped" it so much. However the announcment has been at two places, a developers conference, and on the main page (where it is listed as Beta). It shouldn't be on the main page perhaps, but that doesn't change what a beta is.

A Beta is an opportunity for software devs to get a million hours of volunteer testing in over night. Testing in ways they would have a hard time managing themselves. They don't release betas with known bugs, they find and fix as many as they can, but they are aware that having a million people all poke at it will reveal things it would take them forever to find. Therefore, Beta software is buggy by definition, and no company should be ridiculed like Apple is right now for having buggy software. Certainly the media didn't jump on Microsoft or anyone elses back for it. I use beta freeware/shareware a lot, but when I find a bug or it crashes I don't rip the author a new one.

What Apple is getting right now is blown out of proportion, that is fact. And just because it is, doesn't mean that Apple did anything wrong or evil. However, Apple could have done things a little different to lessen the impact.

~Tyler
 
Hopefully they'll get the security issues dealt with. The speed of the Safari for Windows browser when it comes to sites like Digg compared to Firefox or Opera has sold me on getting a Mac for my next computer. There is simply no comparison. Safari is significantly faster.
 
Bozinsky said:
...all QA ressources over to the iPhones teams, explaining the awful beta version? This quality of the first release is now a good tradition for apple software nowerdays. see (SLOOOOW) aperture 1.0, or several (CRASHING) iTunes versions.
Click to expand...

If only this was the first version of Safari. It's not. The first version comes out in a few months. Check back in then.
 
Anyone else not really give a damn about Safari on Windows? Apart from possibly making AAPL stronger, from a trader's point of view?
 
Much Ado said:
Anyone else not really give a damn about Safari on Windows? Apart from possibly making AAPL stronger, from a trader's point of view?
Click to expand...

This issue is iPhone. With Safari on all three platforms the web_apps will look and run consistently.

I've run the OneTrip sample app on both platforms and it is identical as far as I can tell.
 
Piece by piece.

You said, in regard to beta software being buggy...

johnee said:
wow, That is completely unethical.
Click to expand...

Says you? Because the rest of the developer and beta testing world, you know, those actively involved, as well as the agreement you made before installing the software, says otherwise.

tell me, exactly when were they going to get around to even test these issues?
Click to expand...

They were testing, they are testing, and they will continue to test. The beta testers were not testing, but now they are, and they are doing a good job it would appear. Sadly, some of those beta testers decide to slam Apple for what they find. Personally, I beta test to help a developer, not dig up "dirt" to give to the media for a buck and some quick fame...

Were they relying on the "test subjects at large" to find these holes?
Click to expand...
They rely on beta testers to find bugs that they wouldn't find in a million years. 20 people testing software for a hundred years won't find all the bugs that a million people will find in a day. It's just simple math on man hours. For simpler programs the 20 man team gets a lot more done in comparison, but on projects as large and open as web browsers, beta testing and beta testers are an essential part of the development.

You're telling me apple had no regard for security, and decided to let everyone be a victim, without making sure there were no security holes?
Click to expand...

Um... No? They let anyone willing to take the risk be a beta testers. This software is not for production or your leisure time. This is an unfinished project that you are allowed to use if you are willing to accept the risk, and be a nice guy and report the bugs you find.

This is not Apple giving you a freebie. That freebie comes when it reaches Final release, and is labeled "complete".

It took something like 6 HOURS for someone to find these!!!
Click to expand...

And? Are you telling me you could find it that fast? Don't make me go into the math again... Which is not to say that the people that found them aren't probably extremely smart and break code in their spare time.

If apple decided to completely disregard their own testing of their tool, they at LEAST could have hired someone to do it for them!!!!!!!!!!!!!!!!!
Click to expand...

I don't think you have a clue about this industry. So why don't you start reading agreements before downloading test software, start learning a little about the industry, and until you do, quietly sit down and don't get all panicky. Trust me, the world is not ending, now is it even really changing.
 
Okay, before this thread continues, I want to point out a few things that seem to confuse some people that don't have experience.

Just because someone found a bug or security hole, does NOT mean that Apple (or any company) was aware of it prior to it being found.
All possible holes and bugs are not on some list at company headquarters and are just on some waiting list, and if public people find them, they fix those first.

Code is a highly complicated ordeal, and "holes" are not visible or obvious. They often times link thousands of lines away in a particular manner under particular conditions to give someone who knows what they're doing an advantage.

Before any slams beta software from ANY company again, understand that. There is no substitute for large exposure beta testing of complicated software.
Some developing strategies and time well spent can decrease the number of bugs upon final release. But news flash, beta testing is one of those good developing strategies. You wouldn't want to know how buggy software on this scale would be (or how late to market) if all testing was done in house.

~Tyler
 
savar said:
Yeah but if this was IE7 beta we'd be laughing our butts off. Apple needs to make Safari a rival to IE and FF, and that won't happen if 7 bugs are found on day #1.
Click to expand...
Of course. But let's not confuse reality (that beta products have bugs, and often really nasty critical ones) with the fact that it's fun to poke fun at Microsoft.

Yes, Apple needs to make Safari a whole lot more stable than what we've seen so far. But this is still a pre-release product, no matter how many people are downloading it.

If there are serious bugs like this after it is released, I'll actually have a reason to be upset.
Sweetfeld28 said:
I just wounder why Safari doesn't seem to like my forward, and backward buttons on my mouse, unlike Firefox, and IE.
Click to expand...
I found the same thing with a generic scroll-wheel - it does nothing. Looks like a UI feature they just haven't gotten around to implementing yet.

I filed a bug report (via that nice "bug" icon on the toolbar) to tell them about it. I'm sure this'll be fixed before the final version is released.
 
I would tend to classify "day 1" as release day, but that's just the geek in me. I wouldn't expect everyone to interpret it that way.

Also, when you download the beta you agree to the EULA, including the following paragraph. It's the 2nd paragraph, and is all in bold.

"IMPORTANT NOTE: THIS IS “BETA”, PRE-RELEASE, TIME-LIMITED SOFTWARE MEANT FOR EVALUATION AND DEVELOPMENT PURPOSES ONLY. THIS SOFTWARE SHOULD NOT BE USED IN A COMMERCIAL OPERATING ENVIRONMENT OR WITH IMPORTANT DATA. BEFORE INSTALLING THIS APPLE SOFTWARE, YOU SHOULD BACK UP ALL OF YOUR DATA AND REGULARLY BACK UP DATA WHILE USING THIS APPLE SOFTWARE."

http://www.apple.com/safari/download/terms_mac.html
 
itcomesinwaves said:
I would tend to classify "day 1" as release day, but that's just the geek in me. I wouldn't expect everyone to interpret it that way.

Also, when you download the beta you agree to the EULA, including the following paragraph. It's the 2nd paragraph, and is all in bold.

"IMPORTANT NOTE: THIS IS “BETA”, PRE-RELEASE, TIME-LIMITED SOFTWARE MEANT FOR EVALUATION AND DEVELOPMENT PURPOSES ONLY. THIS SOFTWARE SHOULD NOT BE USED IN A COMMERCIAL OPERATING ENVIRONMENT OR WITH IMPORTANT DATA. BEFORE INSTALLING THIS APPLE SOFTWARE, YOU SHOULD BACK UP ALL OF YOUR DATA AND REGULARLY BACK UP DATA WHILE USING THIS APPLE SOFTWARE."

http://www.apple.com/safari/download/terms_mac.html
Click to expand...
I do not even think Safari for windows should be called a beta. A lot of the problems I see in it are late alpha stage bug. in no way in hell was this program ready for a public beta. A public beta means it was near being complete.
As for the press making a big deal about it I am going to say apple got what it deserved on it and rightfully is being force to eat is own words.

"Security being number one from ground up" and apple always showing how secure there OS means any bug is a big deal. Apple brags about security being so great so it better be top great and getting hit with 8 in the first day means it was clearly not ready for a public beta and apple screwed up big time.
 
johnee said:
Does beta mean it's allowed to have security holes?

Would you ever install ANY software that could or could not have security holes?
Click to expand...

Well, considering any and all software, beta or production, can have security holes, by your criteria you wouldn't have much software available to you. OS X has security holes, whether they've been discovered or not is a different story, but I take it you see fit to install it and use it. The same goes for Windows users. If Apple, or any other software publisher, were to wait until they could guarantee that their product did not have any security holes before releasing it, there wouldn't be any software published.

IMO, you are not being very realistic. Beta software, by its very definition, is "use at your own risk". No one is forcing anyone to be a beta tester.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back