In the now-classic Apple(AAPL) commercials, Mac Guy occasionally remarks to PC Guy that Macs don’t have the security Relevant Products/Services problems of PCs. But now, Mac Guy might have PC Guy’s problems. Within hours of Monday’s announcement that Safari 3 beta was available for Windows, three security blogs identified vulnerabilities in the Apple-made browser.
While Apple’s marketing information suggests Safari has been “designed to be secure from day one,” security experts Aviv Raff, David Maynor, and Thor Larholm found otherwise — in some cases simply by opening a malicious Web site in Safari.
Bloggers Unveil Issues
Writing on the Errata Security blog, David Maynor said on Monday that using “publicly available tools,” he and associates found “six bugs in an afternoon; four DoS and two remote code execution bugs.” DoS refers to a denial-of-service attack in which packets of data can overwhelm and then crash a computer.
The bugs work not only on the Windows version of Safari, Maynor wrote, but also on the version for Apple’s OS X. “Same code base for a lot of stuff,” he said.
Maynor said that his disclosure policy was to “give vendors as long as they need to fix problems.” But “if the vendor is unresponsive” or makes threats, he wrote, after 30 days he will release the full details. In any case, he said, the information on the vulnerabilities will not be sold to a third party.
Thor Larholm, on his blog Larholm.com, wrote today that, within two hours of downloading, installing, and using Safari for Windows, he found a “fully functional command execution vulnerability, triggered without user interaction simply by visiting a Web site.”
He pointed out that Safari was originally designed for tight integration with OS X, but “the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.” When Apple released Safari for Windows, he noted, the company neglected to implement Windows-specific URL protocol handlers. The result is that a malicious user can “break out of the intended confines and wreak havoc.”
On his blog, aviv.raffon.net, Aviv Raff said that he found “memory corruption” that “might be exploitable,” although he added that he’ll “have to dig more to be sure of that.”
Hackers have long wanted to get their hand on the iPod and you can bet the iPhone is just too tempting for them. With the planned integration between the browser and the devices, the security breaches in Safari will open that door. How long before Microsoft’s (MSFT) PC guy has his own commercial out there?
5 replies on “Apple’s (AAPL) Safari: Security Experts Easily Find Multiple Bugs”
Safari 3 is ‘beta’ software, and this is exactly the process that should take place to close the loopholes. Why do you and others hold Apple up to completely different standards to others?
Compare this beta with Windows XP and Internet Explorer where holes are STILL being found – after being out of beta for 5 years!
And as for Maynor, for him to be throwing threats around is a bit much to stomach. He was the man with the fraudulent and misleading MacBook Airport vulnerability – that wasn’t Airport.
i recognize that but they go live in two weeks.
also, these bugs were instantly found meaning there are sure to be many more found once folks dog deeper. since it will be so tied to the phone and pod, it now makes them very vulnerable..
Todd,
Once again, Beta.
Second, iPhone is Mac OSX. Safari on iPhone is for Mac OSX. Safari for Windows is not part of the iPhone launch, so “going live” in two weeks is not in danger from this issue.
Finally, please don’t take this the wrong way, but the day you say AAPL might be a good buy is the day I sell my holdings I’ve been accumulating for years. You’re a good barometer.
Brooks
brooks,
read the post again, same code for osx and windows. same problems.
is there anyone who has not held apple shares “for years” out there? who the hell has been buying since 2005?
someone has too be the last fool in….
how is philly?
Todd,
Same code for BETA Safari. Beta. “Not ready for Prime Time…” Fine with me.
Plenty of people daytrade, because it has a high daily range. I’ve been buying since 2005, but only when I see it necessary. User since the 80s, stock owner since 2000, last purchases were summer of 2006 in the 50s, December of 2006 (I believe the 27th?) when it dropped on more media options coverage into the upper 70s, and once again bought some call options before the April #s. Those call options expire next month and Jan 08. I also bought some July 125s yesterday morning. As you know, the best time to buy a stock is when it’s damaged (fear runs rampant) but believe in the company.
Moving to Charleston, SC soon. Financial independence nearly at hand….
Keep up the good work. Funny thing about AAPL, it’s gotta be the most loved/hated/”tabloided” stock out there. On google finance, it’s generally the top traded stock in terms of $ volume. So, whenever you write about it, it’ll get coverage…..
One more thing. The LF presentation at the PJ conference was good, but the one slide which struck me was the name/company recognition, and it was a blind question. Amazing, the company hasn’t done anything “new” for a couple years, takes heavy losses, and their still far and away at the top of peoples minds.
Have a great day.
Brooks