Safari Beta Security Slammed; 8 Vulnerabilities Found

[EagerDragon]

Crashes & DoS

If I can send something to a browser such as inputs, hidden fields, cookies, headers, or even TCP/IP packet changes and it causes the browser to behave incorrectly, such incorrect action is a potential security hole.

A crash ussualy means memory corruption or invalid inputs, and such corruption was caused by the hacker.

If the hacker can take the time to look into the crash, there is a good chance that a good number of those crashes can instead be turned into code execution.

A lot of DoS sooner or later end up as a crash meaning that they may also be explotable.

Nobody is perfect, but it is irresponsible for Apple to release software with fairly obvious security holes. As to free software.... If your identity is stolen or all your financial records need to be re-constructed, was the software really free????

I hope they find as many security issues as possible, after that I expect a very uneventful roll out, which will be good for Apple and all Mac, windows and iPhone users.

Please keep finding those security holes.

 

[EagerDragon]

Despite what Steve Jobs has said, the ONLY reason they released Safari on Windows is because the iPhone dev kit will require it.

They won't take any marketshare with it (nobody is giving up Firefox on windows to run Safari). And it will never have the 3rd party plugin support of IE or Mozilla based browsers. It won't even approach Opera.

If you need more evidence, note that they released the Safari beta before it even supported Proxies. Good god - how can any browser even be remotely considered real if it doesn't support proxies?

You will need Safari to develop for the iPhone. That's why it was ported to Windows. Period.

Do not attempt to use it for anything even remotely important to you.

Is going to a web site and clicking a few links, watching a video unreasonable use?

That is all it takes to get badly bitten.

 

[rainydays]

I still don't get why apple choose to port Safari to Windows. It's not that good of a product, and it will take a lot of energy to get Windows users to switch (the Firefox community knows this by experience).

Seriously, Leopard is delayed and they choose to put developers on porting Safari to Windows? Something that in itself is questionable.
Perhaps they have another reason for doing it. But I doubt that.

Please Apple, FOCUS!

 

[Earendil]

I still don't get why apple choose to port Safari to Windows. It's not that good of a product, and it will take a lot of energy to get Windows users to switch (the Firefox community knows this by experience).

Seriously, Leopard is delayed and they choose to put developers on porting Safari to Windows? Something that in itself is questionable.
Perhaps they have another reason for doing it. But I doubt that.

Please Apple, FOCUS!

Despite some people thinking they know better than Apple, there actually is a good reason for porting it. See post #145 in this thread.
At least you sound willing to learn something new

 

[itcomesinwaves]

Does beta mean it's allowed to have security holes?

Yes.

Beta software is "allowed" to have all manner of bugs. Software becomes beta when it is released for testing outside the company. If you download beta software you should be aware that it can have all kinds of bugs, even ones that are potentially damaging to your system.

 

[coffey7]

Opera is faster. When I put safari on my vista machine it was really slow. I better take it off before it messes things up. Safari is not the best browser. Sorry.

 

[acslater017]

well, time to delete my beta.

 

[uNext]

You want to know whats funny and annoying at the same time?

When microsoft released internet explorer beta, I recall people saying things like "leave it to microsoft to release a buggy product", "If this is beta then i wonder what microsofts definition for alpha is"

But in this scenraio people are once again hiding behind the fact that safari is in beta (a lot of mac users always find excuse t ojustify anything releated to apple) when it is completely unnaceptable
to have "worlds greatest" but the browser fails to display some ciritcal but minor details . At the end of the day people laughed at Gates when he said microsoft coding is tight compared to mac os x. To anybody with common sense that will stand true for many reasons...microsoft have been fighting hackers for years that constantly break their efforts years of research and dedication on trying to improve the system without stepping on other business that eat of security.

wHEN MAC REACHES A CERTAIN PLATEU OF MARKET SHARE-and they start ****ing people over watch how easy it will be to break something on mac....Their security dpt could be coding baby stuff but since nobody is hacking it, it seems like the most secure OS in the world.....just wait and see. I dont think apple will be able to handle where even microsoft fails at but where 3rd party solutions step in
see where im going? if microsoft where to be 100% secured they would be getting sued left and right monopoly this/that etc. If you think a company worth billions cant come up with a more secured operating system then your blind and fail t osee the politics behind the business/market.

Uncle steven will never tell you this but unfortunetly my fellow mac brethrens apple is nothing without microsoft. Dont believe me rewind back to the 90's is all in the past. Unfortunetly apple decided to basically link up with windows and now we will see the lies similar to the powerpc vs x86 show.

 

[MikeTheC]

surprisingly other browsers like fx/opera managed to stay safer.

anyway, welcome to the real world of windows, apple good luck stay safe and survive. and lets check back on browser market share in 3 months!

Interestingly enough, even though not mentioned at the keynote, Apple's own site shows Opera to be very competitive with Safari.

It's actually been my main browser for about a month and change now. I can't imagine going back to anything else.

 

[Muncher]

But in this scenraio people are once again hiding behind the fact that safari is in beta (a lot of mac users always find excuse t ojustify anything releated to apple) when it is completely unnaceptable
to have "worlds greatest" but the browser fails to display some ciritcal but minor details .

wHEN MAC REACHES A CERTAIN PLATEU OF MARKET SHARE-and they start ****ing people over watch how easy it will be to break something on mac....Their security dpt could be coding baby stuff but since nobody is hacking it, it seems like the most secure OS in the world.....just wait and see. I dont think apple will be able to handle where even microsoft fails at but where 3rd party solutions step in

#1, I agree with the first statement. But then, both sides do it; nobody's perfect, eh?

#2 For the second statement, even if Microsoft has security far superior than that of Apple, that comparison is still relative. What matters is the absolute - that despite that, Macs still have less viruses.

 

[EagerDragon]

I think everyone so far has missed the real reason why Apple have released Safari for Windows. That happens to be developers for the iPhone. Apple would not allow third party developers to write independent apps for the iPhone,
but have instead opened up Safari as a way to get third party apps onto the iPhone. These apps can be written on any computer running Safari. What better way to instantly increase the amount of people able to write apps for Safari
than to put Safari on another 95% of computers? Developers who might like to write an app for Safari/iPhone may not want to go out and buy a Mac just to write an app. But now, they can use safari on their Windows box. So, I guess
this could really be an iPhone related discussion.

I can agree with most of your entire post, however if it was released for developers, how come you do not have to register as a developer to get the beta or even alpha browser?

They opened the browser to the ENTIRE WORLD, go check the Apple site.

Developers undestand beta developtment tools, general population and a lot of the media don't understand the difference.

I find it hard to belive that Apple was under the impression that only developers were going to download the Safari beta.

Sorry but that argument IMHO does not hold water.

 

[edoates]

The download includes an uninstaller so you can put it back to safari 2.

And it works, I just did it to make sure.

Beta software is always likely to be buggy, but security flaws of a serious nature should have been more thoroughly test in the lab prior to releasing into the wild.

Ed

 

[rainydays]

Despite some people thinking they know better than Apple, there actually is a good reason for porting it. See post #145 in this thread.
At least you sound willing to learn something new

I have considered the iPhone development bit. But wouldn't it be better then to release it as a development tool?

As I see it, releasing this public beta and target it as an IE replacement product will only hurt Apple.
I have a hard time understanding their reasoning.
Expecting that people will download Safari based on the fact that iTunes is popular is a bit naive in my opinion.

 

[guerro]

I can agree with most of your entire post, however if it was released for developers, how come you do not have to register as a developer to get the beta or even alpha browser?

They opened the browser to the ENTIRE WORLD, go check the Apple site.

Developers undestand beta developtment tools, general population and a lot of the media don't understand the difference.

I find it hard to belive that Apple was under the impression that only developers were going to download the Safari beta.

Sorry

You may have misunderstood what I was saying. Obviously, Safari 3 beta was released to everyone. Hence my statement that Safari is now available to another 95% of computer users. My point is that Apple have gained a huge number of people who can instantly develop an application for the iPhone. Not all Windows users are developers, but there are a bazillion more devs for the Windows platform than there are for OSX. I think you will realize what I was saying if go back and read my entire post again.

Another side benefit of the browser being on Windows (and the shear millions of users on windows) is the search bar built into Safari. There is advertising money involved with these built in Google search bars. Apple actually gets money when people use the built in search bar.

 

[v-ault]

You want to know whats funny and annoying at the same time?

When microsoft released internet explorer beta, I recall people saying things like "leave it to microsoft to release a buggy product", "If this is beta then i wonder what microsofts definition for alpha is"

But in this scenraio people are once again hiding behind the fact that safari is in beta (a lot of mac users always find excuse t ojustify anything releated to apple) when it is completely unnaceptable
to have "worlds greatest" but the browser fails to display some ciritcal but minor details . At the end of the day people laughed at Gates when he said microsoft coding is tight compared to mac os x. To anybody with common sense that will stand true for many reasons...microsoft have been fighting hackers for years that constantly break their efforts years of research and dedication on trying to improve the system without stepping on other business that eat of security.

wHEN MAC REACHES A CERTAIN PLATEU OF MARKET SHARE-and they start ****ing people over watch how easy it will be to break something on mac....Their security dpt could be coding baby stuff but since nobody is hacking it, it seems like the most secure OS in the world.....just wait and see. I dont think apple will be able to handle where even microsoft fails at but where 3rd party solutions step in
see where im going? if microsoft where to be 100% secured they would be getting sued left and right monopoly this/that etc. If you think a company worth billions cant come up with a more secured operating system then your blind and fail t osee the politics behind the business/market.

Uncle steven will never tell you this but unfortunetly my fellow mac brethrens apple is nothing without microsoft. Dont believe me rewind back to the 90's is all in the past. Unfortunetly apple decided to basically link up with windows and now we will see the lies similar to the powerpc vs x86 show.

I was following you up until you said: "wHEN MAC REACHES A CERTAIN PLATEU OF MARKET SHARE". Everything got pretty incoherent after that.

 

[johnee]

Yes.

Beta software is "allowed" to have all manner of bugs. Software becomes beta when it is released for testing outside the company. If you download beta software you should be aware that it can have all kinds of bugs, even ones that are potentially damaging to your system.

wow, That is completely unethical.

tell me, exactly when were they going to get around to even test these issues?

Were they relying on the "test subjects at large" to find these holes?

You're telling me apple had no regard for security, and decided to let everyone be a victim, without making sure there were no security holes?

It took something like 6 HOURS for someone to find these!!!

If apple decided to completely disregard their own testing of their tool, they at LEAST could have hired someone to do it for them!!!!!!!!!!!!!!!!!

 

[itcomesinwaves]

The real question should be, will these vulnerabilities manifest themselves in the iPhone in any way? Steve-O said the reason for not allowing independent third party apps was security concerns. But these flaws in safari might
introduce the very insecurity Apple are trying to avoid. Apple is not trying to take over the Browser segment, rather they are trying to get as many people able to write Safari apps for the iPhone as possible.

I you almost answered your own question. This is how I think it is going down:

Apple wasn't planning on allowing any third party development that wasn't pre-approved through them and AT&T. Partly because of security concerns, but also because AT&T is afraid of programs that could cut into their profits (Skype functionality, for example).

When it became clear how restricted the iPhone would be, potential customers and developers started to question how good it would be. The pressure finally got to Apple, and they decided to go with this Web-App idea at the last minute. As you said, the purpose of Safari for Windows is to be a tool for iPhone developers. Because this plan came together so late, the port of Safari was rushed and is very buggy. Normally they wouldn't release this as a beta, but with June 29th approaching fast, they wanted to get it out for developers ASAP (The same goes for the Mac beta, but it's not as buggy because they've been working on it for Leopard).


What do you think? Feel free to poke holes in my theory.

 

[ppnkg]

Please Apple, FOCUS!

They do! On the iPhone!

The annoying part of it is that the beta version overwrote the previous one. Sure, the whole point of having a beta out is to test it, that's fine. Personally, I'll wait until these bugs are fixed, so I'm uninstalling it.

Also, I hear Camino was recently updated, and Shiira 2 is out.

 

[guerro]

I you almost answered your own question. This is how I think it is going down:

Apple wasn't planning on allowing any third party development that wasn't pre-approved through them and AT&T. Partly because of security concerns, but also because AT&T is afraid of programs that could cut into their profits (Skype functionality, for example).

When it became clear how restricted the iPhone would be, potential customers and developers started to question how good it would be. The pressure finally got to Apple, and they decided to go with this Web-App idea at the last minute. As you said, the purpose of Safari for Windows is to be a tool for iPhone developers. Because this plan came together so late, the port of Safari was rushed and is very buggy. Normally they wouldn't release this as a beta, but with June 29th approaching fast, they wanted to get it out for developers ASAP (The same goes for the Mac beta, but it's not as buggy because they've been working on it for Leopard).


What do you think? Feel free to poke holes in my theory.

I couldn't agree more.

 

[EagerDragon]

You may have misunderstood what I was saying. Obviously, Safari 3 beta was released to everyone. Hence my statement that Safari is now available to another 95% of computer users. My point is that Apple have gained a huge number of people who can instantly develop an application for the iPhone. Not all Windows users are developers, but there are a bazillion more devs for the Windows platform than there are for OSX. I think you will realize what I was saying if go back and read my entire post again.

Another side benefit of the browser being on Windows (and the shear millions of users on windows) is the search bar built into Safari. There is advertising money involved with these built in Google search bars. Apple actually gets money when people use the built in search bar.

I was just having an issue with the "released for iPhone developers", everything else im with you.

 

[guerro]

I was just having an issue with the "released for iPhone developers", everything else im with you.

Don't get stuck on the term "developer". As we all know, every user has potential to be a developer. I guess I could have explained that better. But, read the las couple posts just above.

 

[itcomesinwaves]

wow, That is completely unethical.

tell me, exactly when were they going to get around to even test these issues?

Were they relying on the "test subjects at large" to find these holes?

You're telling me apple had no regard for security, and decided to let everyone be a victim, without making sure there were no security holes?

It took something like 6 HOURS for someone to find these!!!

If apple decided to completely disregard their own testing of their tool, they at LEAST could have hired someone to do it for them!!!!!!!!!!!!!!!!!

You forgot an exclamation point.

Like all beta software, it comes with this warning:
"IMPORTANT NOTE: THIS IS “BETA”, PRE-RELEASE, TIME-LIMITED SOFTWARE MEANT FOR EVALUATION AND DEVELOPMENT PURPOSES ONLY. THIS SOFTWARE SHOULD NOT BE USED IN A COMMERCIAL OPERATING ENVIRONMENT OR WITH IMPORTANT DATA. BEFORE INSTALLING THIS APPLE SOFTWARE, YOU SHOULD BACK UP ALL OF YOUR DATA AND REGULARLY BACK UP DATA WHILE USING THIS APPLE SOFTWARE."

I don't know what to say to you. Sorry this has you so freaked out. I don't know if it will help, butI can assure you that bugs and security holes in a beta software are entirely routine (in fact, that's kind of the point).

 

[EagerDragon]

I you almost answered your own question. This is how I think it is going down:

Apple wasn't planning on allowing any third party development that wasn't pre-approved through them and AT&T. Partly because of security concerns, but also because AT&T is afraid of programs that could cut into their profits (Skype functionality, for example).

When it became clear how restricted the iPhone would be, potential customers and developers started to question how good it would be. The pressure finally got to Apple, and they decided to go with this Web-App idea at the last minute. As you said, the purpose of Safari for Windows is to be a tool for iPhone developers. Because this plan came together so late, the port of Safari was rushed and is very buggy. Normally they wouldn't release this as a beta, but with June 29th approaching fast, they wanted to get it out for developers ASAP (The same goes for the Mac beta, but it's not as buggy because they've been working on it for Leopard).


What do you think? Feel free to poke holes in my theory.

Mostly with you .... Only thing is that developers do not really need to use Safari to develop code. All they are writting is Ajax and they can use just about any browser that is JavaScript and AJAX compatible. While Safari compatability is probably the best, it is not the only choice. Peple been developing AJAX apps for several months before Apple decided to release Safari for windows.

I am not aware of anything in Safari that will significantly make development any better / faster. It is just a browser.

 

[itcomesinwaves]

I was just having an issue with the "released for iPhone developers", everything else im with you.

"Developing" for the iPhone isn't anywhere near as complex as developing for Mac OS. It's more akin to "developing" a widget. Anyone who can make a web page (from scratch) is well on their way.

 

[EagerDragon]

"Developing" for the iPhone isn't anywhere near as complex as developing for Mac OS. It's more akin to "developing" a widget. Anyone who can make a web page (from scratch) is well on their way.

100% Correct, Ajax is about web services, if you have web services available and exposed, you just need to develop a thin layer client to call those services.