What the hell took him so long?
‘Day One’ for Safari for Windows Becomes Zero-Day Nightmare
It took security engineers perhaps less than two hours yesterday to introduce Apple’s surprise entry in the field of Windows browsers to the big, cruel world of exploits and vulnerabilities, following its introduction yesterday morning at WWDC. As a result, much of the clout Safari had received as the secure browsing alternative to Internet Explorer and Firefox — as long as it was on a Macintosh — was burned off like fire to a flash fuse.
Errata Security engineer David Maynor had a report posted on the first vulnerability he found by 1:48 pm, complete with screenshots of the pre-crash letdown dialog produced by his fuzzing tool. As he admitted, it wasn’t a difficult crash to find, posting a screen shot of the memory dump revealing both a stack corruption and an access violation, and then giving credit to Thor Larholm for posting a complete report on the calamity not an hour later.
“I downloaded and installed Safari for Windows 2 hours ago, when I started writing this,” Larholm wrote, “and I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a web site.”
Apple’s Web site touts, “Apple engineers designed Safari to be secure from day one.”
On a Mac, maybe. But Windows is a whole ‘nother insecure universe, baby. This may be a beta release, but with all the bugs being found, it sounds more like an alpha.
Hmmm, Errata beats eEye Digitial to the punch?
I’ll make sure my Safari link runs with my “regular user” rights in the “Run with different credentials” section.
(Shortcut properties, Advanced, Run with …, Apply )
Almost no more security issues with any browser.
This setting should have been the default in XP SP2 for people running as Administrators.
Fun aint it.
A company that (really) dont need much security, makes a product for Windows…And thinks its secure??
It’s an interesting time for Apple… As the saying goes, the higher the monkey climbs the tree, the more he shows his ass…
Its beta. What did you expect?
Mister Justin — be careful looking up the monkey’s ass. Something might hit you in the face……
And it wont be road apple.
This is a good lesson for Apple.
Now Steve Jobs needs to listen more to Steve Gibson.
And well done for finding bugs in a beta… that’s exactly the point of it.
OF course this wouldn’t be as big news if Apple had quietly announced this rather than a big fanfare over it.
And this is why Apple keeps OSX from running on a PC.
Funny that there are so many people saying “ha! see, Apple can’t be secure in windoze” but few are realizing that what is really being pointed out is that the Mac IS (functionally) the more secure alternative. In the big equation, the part that is showing up as secure is the Mac and OSX…I don’t know how this is some big slam at Apple…if anything it makes their case…
#9 is totally right…
I run several OS’es on my Intel Mac with Parallels and to be honest they ALL are full of bugs and security holes!! There is no such thing as a final or stable version. They all are crappy and some of us who helped finance these idiots these past 30 years should be compensated for all of time and money wasted trying to fix their buggy “beta” software!
And don’t get me started on the developer/beta tester programs by both Apple and Microsoft allowing you to get a preview of their new OS as long as you send them bug reports and suggestions of which they then tell you your idea sucks but you see it sucked so bad that they put it in their final version! They benefit financially and you get a buggy preview copy!
Cranky Brad has now stepped off his soapbox.
Don’t you think that, with Apple giving Safari a big fanfare about it being available on Windows, that they should’ve done more to make it less buggy? Sure, it’s a beta, but come on. People seem to be using that as a crutch. I think a beta should be mostly stable, and certainly workable. It shouldn’t crash all the time, as Safari seems to be doing. Plus, there’s already 3 browsers on the windows platform, 1 that’s the de facto standard, 1 that’s an extremely popular alternative, and 1 that has a fanatical following. Apple has to make a big splash with a great first impression with Safari and they blew it. For a company that claims that their software “just works”, this is an embarrassing slip. (and don’t get me started on the evil that is Quicktime. Goddamn I hate that horrid piece of shit.)
Thank you for confirming that OS X is a better platform.
#8: Apple’s computers ARE PCs. They just run a different OS.
A split hair, to be sure, but an accurately split hair nonetheless.
12. Uh, yes to all. Quicktime is nothing but spyware, as far as I’m concerned.
[deleted for violation of guidelines]
#14
And Fig newtons are cookies but their fans will say no.
I’ve been trying to say that about MacIntels since it ever came out but the Mac groupies are always in denial.
The reason Safari isn’t exploited in OSX but in Windows is because of the OS. Not the actual security of the OS but the foothold of the OS.
Jobs just delivered a time bomb to Windows hackers. And ultimately to itself. Just the sheer exploitation Safari will be exposed to will, surely, delay Leopard’s delivery to the public, because Apple does not have enough engineers to plug all of the holes that will inevitably be discovered in it.
This regardless of the spin being put to it…
I doubt e-i even cared to hack this product its beta and no one uses it. Errata always seems to be there to clean up the lame bugs.
Keep belieaving you are safe..
Wait till you OS is ALL flash, Html, and runs on 6 other internet protocols..
just proves that apple has no idea how to implement security into their products…sitting in their own isolated universe, where nobody hacks their hardware and/or software because they aren’t out in any significant numbers, the programmers don’t look to outside help. Firefox is infinitely more secure, better, and has several versions ahead of apple.
Why would anyone use a bastardized browser like safari on a PC anyways?
ditto for “supreme Apple coding” LOL
this isn’t news.. really. it isnt
at best it’s some investors fantasy
GO! Web 2.0!
#16 – brad
“#9, iFags such as yourself put blinders on. Mac world is irrelevant in the security and enterprise circles where the predators are out. So when apple bless us PC users with another iTurd and in less that 16hrs is exploited to the point of embarassing any decent programmer says something about the mac culture.”
That your mother made you wear girl’s clothing says something about the compulsive bug-up-the-ass-troll culture.