Filed under: Analysis / Opinion, Software, Internet Tools, Security
Windows Safari bugs and exploits "popping up like hotcakes"
Safari has been available on Windows for less than 24 hours, and already the hacker community is apparently tearing it to shreds. The Errata Security blog has been keeping track of a few announcements across the web, including a fully disclosed 0-day exploit that Thor Larholm apparently found yesterday within two hours of the software's release (and says more are "popping up like hotcakes"). And just to be clear on the use of 0-day exploit: it means Larholm found a way
What will this mean for Safari's reputation and traction in the Windows market? I'm not really sure yet. There are any number of reasons behind Apple's decision to develop Safari for Windows, and even though a healthy pool of tech-savvy users are already tinkering with it (for better and for worse), the real results will be seen once it reaches much more of the mainstream market. One of the primary reasons (besides making it easy for Windows-based web developers to write web apps for the iPhone, of course) for SafariWin, as some are calling it, is because that tiny little search box in the upper right of a browser has become quite a revenue generator if the browser does decently in the market. When users search through that box, the browser manufacturer makes some money off the resulting ads that are displayed along with that search. Firefox reportedly made around $50-75 million last year for Mozilla because of that little search box (not bad for an open source product, eh?). You don't have to be Internet Explorer to bring home at least some bacon for your company; heck, I would bet that Opera is still in business largely due to their search box as well.
But none of these reasons will mean anything, and Safari won't generate nearly as much revenue for Apple, if it doesn't gain at least a respectable share of Windows users who are actually firing up Safari to search, browse the web, view and click on ads. But If Safari keeps getting torn apart like this within 24 hours of a release, it could gain a terrible reputation before it ever hits the radar of a crucial portion of the general public. In this new web browsing and computing world where security is everything when you talk about a browser, Safari needs to plug these exploit holes ASAP if it plans to get any farther than the fleeting front page of digg.
Reader Comments (Page 1 of 2)
D3L3T3D said 11:36AM on 6-12-2007
But does this really even matter to the "average" Windows user? If it did, why would they put up with IE for so long? At least you know Apple will update Safari if it is needed! Below is from Wikipedia:
Much criticism of Internet Explorer is related to concerns about security: Much of the spyware, adware, and computer viruses across the Internet are made possible by exploitable bugs and flaws in the security architecture of Internet Explorer, sometimes requiring nothing more than viewing of a malicious web page in order to install themselves. This is known as a "drive-by download": an attempt to trick the user into installing malicious software by misrepresenting the software's true purpose in the description section of an ActiveX security alert.
While Internet Explorer is not alone in having exploitable vulnerabilities, its ubiquity has resulted in many more affected computers when vulnerabilities are found. Microsoft has not responded as quickly as competitors in fixing security holes and making patches available.[14] Not only are there more security holes discovered in Internet Explorer, but these vulnerabilities tend to remain unpatched for a much longer time, in some cases giving malicious web site operators months to exploit them before Microsoft releases a patch.
The security website Secunia keeps an up-to-date list of known unpatched vulnerabilities. According to the Washington Post, Internet Explorer was known to have exploit code for unpatched critical flaws for 284 days of 2006 [1]. The article goes on to compare this with 9 days for Mozilla Firefox.
Reply
Alex said 11:38AM on 6-12-2007
PUBLIC BETA
Reply
Thomas said 11:38AM on 6-12-2007
Why this post is true, but I couldnt find anywhere which stated this product was Beta in this post. Surely you should state that, before people start going crazy about these exploits. You use Safari 3 at your own risk.
Reply
koopa said 11:41AM on 6-12-2007
I'm sorry but almost all browsers on windows boxes are vulnerable. I'm just amazed at how quickly people want to tear down something that was just released. These are the same people that as kids tore off the heads of their GI Joes as soon as they got them. Think Sid from Toy Story.
Reply
Dave Chartier said 11:42AM on 6-12-2007
#2: You make a good point, but Safari and IE are in slightly different positions when it comes to whether users decide to use one or the other.
IE comes on every Windows box. It's just there, it's the default. I bet many users still simply call it 'the internet' without realizing 'it is only one product that gives me access to the internet.'
Safari is a manual download; you *have* to go out and get it and chose to make it your default browser. As the market shows, even with the reigning superiority of Firefox (and its reputation for far better security), the majority of users still aren't seeking out alternatives to IE.
As of now, Safari is still only on the lips and hard drives of the tech-savvy community. *That* community, as well as any news announcements of Safari security breaches, are the only things that will bring Safari to the masses.
My argument with this post is: if the tech savvy community's first experience is nothing but security holes and code exploits, what chance does Safari have of winning an approval to get installed on the computers of mom, dad and the rest of the market?
If Safari earns a reputation for poor security straight out the gate - in a world where security in a browser is everything - it won't have much of a chance at all.
Reply
Emor8t said 11:42AM on 6-12-2007
Actually this doesn't both me, because:
1. Safari doesn't work properly on my machine anyway.
2. I will still use firefox for various reasons.
3. As a web developer, I don't need yet another browser to design for, so if it dies horrible MS style death, so be it.
Reply
Fred said 11:48AM on 6-12-2007
It's like nobody remember that this is a BETA!!!! It's supposed to be torn apart! JEEZ!
Reply
Mo said 11:51AM on 6-12-2007
It's a piece of software DESIGNED to access remote (untrusted) hosts across the Internet. That means that any bug pertaining to fetching, parsing, or rendering could potentially be a “remote code execution vulnerability”. There will be loads of bugs that aren't—anything to do with the browser chrome, prefs handling, etc.—but the majority could well be. That applies to any browser.
The fact that there are bugs in a preview release of a web browser is hardly earth-shattering news. The fact that some of them, by nature, could result in remote code execution exploits isn't either.
Unless you're Google, beta really does mean beta.
Reply
rogersmj said 11:52AM on 6-12-2007
Emor8t, what do you mean "another" browser? Safari has been in existence for years on the Mac and it's not going to render differently on Windows. Although small, Safari does have a decent enough chunk of the market that anyone who calls themselves a web designer should already be designing for it. If you don't, then I would never hire you, because you're blocking out 3-5% of my potential visitors because you're too lazy to spend 15 minutes verifying the design works in Safari. Besides, it hardly takes any effort; except for a couple minor things, it renders almost the same as FireFox.
Reply
Dave Chartier said 11:52AM on 6-12-2007
Everyone: 'beta' means there are some quirks and bugs, maybe it will crash. 'Beta' does *not* mean that it has wide open security holes that can allow for remote code execution and complete control over your machine.
Reply
James said 11:55AM on 6-12-2007
BETA!
Reply
James said 11:56AM on 6-12-2007
Beta means the product is not finished yet and we're releasing it so you can help us find any problems we missed. It does not mean "it just has some quirks".
Reply
Buckingham said 11:57AM on 6-12-2007
Agree with #11 (Dave). These are not UI glitches like a missing button or wrong spelling. These things go deep in the URL handling and IO stuff.
Reply
cwg said 11:57AM on 6-12-2007
Beta alright. Yet, you'll have to acknowledge that the trouble we've been hearing and experiencing with Safari 3 so far more smells like an early alpha release. Used to be that people were aware of the fundamental distinction between the two, but with the advent of 'beta everywhere' lately (google anyone?), that seems to be gone for good. what a shame.
Reply
Dane said 12:01PM on 6-12-2007
You gave credit to Daringfireball.net's John Gruber for the "heads-up" on the revenue for search boxes, right? I mean, it's not all that coincidental that the day after Gruber posts a summary of WWDC 2007 Keynote on a well-read Apple/Dev blog, you post a blog with similar information? I'm just saying, if it's common knowledge, then that's fine, but if for the sake of journalistic integrity, give credit where credit is due.
Reply
Jon Harris said 12:02PM on 6-12-2007
It's a good little piece, but you omit to tell us where you got the quote "popping up like hotcakes" from. The quotation marks imply a source that's being reported, but I see none. Surely this "quote" wasn't fabricated for eye-catching, traffic-boosting effect...? At least, I hope not.
Reply
Kyle Reasons said 12:12PM on 6-12-2007
One thing is for sure...that browser better be pretty damn secure. If they can't maintain a stable and secure browser it may actually scare people away from buying a Mac.
I say it's a risky move.
Reply
AlMeister said 12:13PM on 6-12-2007
"Surely this "quote" wasn't fabricated for eye-catching, traffic-boosting effect..."
Sure it was. This site was great back when McNulty was the most prolific blogger. That guy knows how to do good stories. The rest are bloggers in training. It's been all downhill since.
Reply
bebopredux said 12:28PM on 6-12-2007
Perhaps Apple used this Public Beta release of Safari to show what happens on Windows. Think about it. You get all this free publicity that sheds light on the holes in Windows. What better way to prove OSX is better? That's how I see this. Surely The Borg in Redmond cannot be thrilled with all of this.
Stroke of genius by Jobs.
Reply
Dave Chartier said 12:34PM on 6-12-2007
Guys, the second site I link - really, the only exploit I link - is where the 'hotcakes' quote is from. I didn't realize this would be such a big since it's the *only* exploit I link, but I have nevertheless edited the post to make this more clear.
Also, re: search box revenue generation - while it probably isn't 'common knowledge' in the sense that CNN talks about it on a weekly basis, this info came out a year or two ago and much of the blogging world picked up on it. Alex Hung, whom I link to over at Download Squad (another blog I am an editorial manager for) also mentions this in an independent editorial covering *why* he believes Safari has come to Windows.
A lot of subtle information like this gets around between sites off and on. Stuff like this is typically known in at least some circles for some time, and it isn't that much of a big deal to credit one source or another because most of us probably couldn't pin down where we first heard it anymore.
I've spoken with John Gruber in the past, he's even provided me with a script or two to help get some work done. I've been an incredibly satisfied member of Daring Fireball for close to three years now; I'm not out to scrape stuff from him and take credit for work or knowledge that isn't necessarily mine. This was just a case of rare info being called into action by a number of different sites.
Reply