Safari has been available on Windows for less than 24 hours, and already the hacker community is apparently tearing it to shreds. The Errata Security blog has been keeping track of a few announcements across the web, including a fully disclosed 0-day exploit that Thor Larholm apparently found yesterday within two hours of the software's release (and says more are "popping up like hotcakes"). And just to be clear on the use of 0-day exploit: it means Larholm found a way
What will this mean for Safari's reputation and traction in the Windows market? I'm not really sure yet. There are any number of reasons behind Apple's decision to develop Safari for Windows, and even though a healthy pool of tech-savvy users are already tinkering with it (for better and for worse), the real results will be seen once it reaches much more of the mainstream market. One of the primary reasons (besides making it easy for Windows-based web developers to write web apps for the iPhone, of course) for SafariWin, as some are calling it, is because that tiny little search box in the upper right of a browser has become quite a revenue generator if the browser does decently in the market. When users search through that box, the browser manufacturer makes some money off the resulting ads that are displayed along with that search. Firefox reportedly made around $50-75 million last year for Mozilla because of that little search box (not bad for an open source product, eh?). You don't have to be Internet Explorer to bring home at least some bacon for your company; heck, I would bet that Opera is still in business largely due to their search box as well.
But none of these reasons will mean anything, and Safari won't generate nearly as much revenue for Apple, if it doesn't gain at least a respectable share of Windows users who are actually firing up Safari to search, browse the web, view and click on ads. But If Safari keeps getting torn apart like this within 24 hours of a release, it could gain a terrible reputation before it ever hits the radar of a crucial portion of the general public. In this new web browsing and computing world where security is everything when you talk about a browser, Safari needs to plug these exploit holes ASAP if it plans to get any farther than the fleeting front page of digg.
Reader Comments (Page 1 of 2)
6-12-2007 @ 11:36AM
D3L3T3D said...
But does this really even matter to the "average" Windows user? If it did, why would they put up with IE for so long? At least you know Apple will update Safari if it is needed! Below is from Wikipedia:
Much criticism of Internet Explorer is related to concerns about security: Much of the spyware, adware, and computer viruses across the Internet are made possible by exploitable bugs and flaws in the security architecture of Internet Explorer, sometimes requiring nothing more than viewing of a malicious web page in order to install themselves. This is known as a "drive-by download": an attempt to trick the user into installing malicious software by misrepresenting the software's true purpose in the description section of an ActiveX security alert.
While Internet Explorer is not alone in having exploitable vulnerabilities, its ubiquity has resulted in many more affected computers when vulnerabilities are found. Microsoft has not responded as quickly as competitors in fixing security holes and making patches available.[14] Not only are there more security holes discovered in Internet Explorer, but these vulnerabilities tend to remain unpatched for a much longer time, in some cases giving malicious web site operators months to exploit them before Microsoft releases a patch.
The security website Secunia keeps an up-to-date list of known unpatched vulnerabilities. According to the Washington Post, Internet Explorer was known to have exploit code for unpatched critical flaws for 284 days of 2006 [1]. The article goes on to compare this with 9 days for Mozilla Firefox.
Reply
6-12-2007 @ 11:38AM
Alex said...
PUBLIC BETA
Reply
6-12-2007 @ 11:38AM
Thomas said...
Why this post is true, but I couldnt find anywhere which stated this product was Beta in this post. Surely you should state that, before people start going crazy about these exploits. You use Safari 3 at your own risk.
Reply
6-12-2007 @ 11:41AM
koopa said...
I'm sorry but almost all browsers on windows boxes are vulnerable. I'm just amazed at how quickly people want to tear down something that was just released. These are the same people that as kids tore off the heads of their GI Joes as soon as they got them. Think Sid from Toy Story.
Reply
6-12-2007 @ 11:42AM
Dave Chartier said...
#2: You make a good point, but Safari and IE are in slightly different positions when it comes to whether users decide to use one or the other.
IE comes on every Windows box. It's just there, it's the default. I bet many users still simply call it 'the internet' without realizing 'it is only one product that gives me access to the internet.'
Safari is a manual download; you *have* to go out and get it and chose to make it your default browser. As the market shows, even with the reigning superiority of Firefox (and its reputation for far better security), the majority of users still aren't seeking out alternatives to IE.
As of now, Safari is still only on the lips and hard drives of the tech-savvy community. *That* community, as well as any news announcements of Safari security breaches, are the only things that will bring Safari to the masses.
My argument with this post is: if the tech savvy community's first experience is nothing but security holes and code exploits, what chance does Safari have of winning an approval to get installed on the computers of mom, dad and the rest of the market?
If Safari earns a reputation for poor security straight out the gate - in a world where security in a browser is everything - it won't have much of a chance at all.
Reply
6-12-2007 @ 11:42AM
Emor8t said...
Actually this doesn't both me, because:
1. Safari doesn't work properly on my machine anyway.
2. I will still use firefox for various reasons.
3. As a web developer, I don't need yet another browser to design for, so if it dies horrible MS style death, so be it.
Reply
6-12-2007 @ 11:48AM
Fred said...
It's like nobody remember that this is a BETA!!!! It's supposed to be torn apart! JEEZ!
Reply
6-12-2007 @ 11:51AM
Mo said...
It's a piece of software DESIGNED to access remote (untrusted) hosts across the Internet. That means that any bug pertaining to fetching, parsing, or rendering could potentially be a “remote code execution vulnerability”. There will be loads of bugs that aren't—anything to do with the browser chrome, prefs handling, etc.—but the majority could well be. That applies to any browser.
The fact that there are bugs in a preview release of a web browser is hardly earth-shattering news. The fact that some of them, by nature, could result in remote code execution exploits isn't either.
Unless you're Google, beta really does mean beta.
Reply
6-12-2007 @ 11:52AM
rogersmj said...
Emor8t, what do you mean "another" browser? Safari has been in existence for years on the Mac and it's not going to render differently on Windows. Although small, Safari does have a decent enough chunk of the market that anyone who calls themselves a web designer should already be designing for it. If you don't, then I would never hire you, because you're blocking out 3-5% of my potential visitors because you're too lazy to spend 15 minutes verifying the design works in Safari. Besides, it hardly takes any effort; except for a couple minor things, it renders almost the same as FireFox.
Reply
6-12-2007 @ 11:52AM
Dave Chartier said...
Everyone: 'beta' means there are some quirks and bugs, maybe it will crash. 'Beta' does *not* mean that it has wide open security holes that can allow for remote code execution and complete control over your machine.
Reply
6-12-2007 @ 11:55AM
James said...
BETA!
Reply
6-12-2007 @ 11:56AM
James said...
Beta means the product is not finished yet and we're releasing it so you can help us find any problems we missed. It does not mean "it just has some quirks".
Reply
6-12-2007 @ 11:57AM
Buckingham said...
Agree with #11 (Dave). These are not UI glitches like a missing button or wrong spelling. These things go deep in the URL handling and IO stuff.
Reply
6-12-2007 @ 11:57AM
cwg said...
Beta alright. Yet, you'll have to acknowledge that the trouble we've been hearing and experiencing with Safari 3 so far more smells like an early alpha release. Used to be that people were aware of the fundamental distinction between the two, but with the advent of 'beta everywhere' lately (google anyone?), that seems to be gone for good. what a shame.
Reply
6-12-2007 @ 12:01PM
Dane said...
You gave credit to Daringfireball.net's John Gruber for the "heads-up" on the revenue for search boxes, right? I mean, it's not all that coincidental that the day after Gruber posts a summary of WWDC 2007 Keynote on a well-read Apple/Dev blog, you post a blog with similar information? I'm just saying, if it's common knowledge, then that's fine, but if for the sake of journalistic integrity, give credit where credit is due.
Reply
6-12-2007 @ 12:02PM
Jon Harris said...
It's a good little piece, but you omit to tell us where you got the quote "popping up like hotcakes" from. The quotation marks imply a source that's being reported, but I see none. Surely this "quote" wasn't fabricated for eye-catching, traffic-boosting effect...? At least, I hope not.
Reply
6-12-2007 @ 12:12PM
Kyle Reasons said...
One thing is for sure...that browser better be pretty damn secure. If they can't maintain a stable and secure browser it may actually scare people away from buying a Mac.
I say it's a risky move.
Reply
6-12-2007 @ 12:13PM
AlMeister said...
"Surely this "quote" wasn't fabricated for eye-catching, traffic-boosting effect..."
Sure it was. This site was great back when McNulty was the most prolific blogger. That guy knows how to do good stories. The rest are bloggers in training. It's been all downhill since.
Reply
6-12-2007 @ 12:28PM
bebopredux said...
Perhaps Apple used this Public Beta release of Safari to show what happens on Windows. Think about it. You get all this free publicity that sheds light on the holes in Windows. What better way to prove OSX is better? That's how I see this. Surely The Borg in Redmond cannot be thrilled with all of this.
Stroke of genius by Jobs.
Reply
6-12-2007 @ 12:34PM
Dave Chartier said...
Guys, the second site I link - really, the only exploit I link - is where the 'hotcakes' quote is from. I didn't realize this would be such a big since it's the *only* exploit I link, but I have nevertheless edited the post to make this more clear.
Also, re: search box revenue generation - while it probably isn't 'common knowledge' in the sense that CNN talks about it on a weekly basis, this info came out a year or two ago and much of the blogging world picked up on it. Alex Hung, whom I link to over at Download Squad (another blog I am an editorial manager for) also mentions this in an independent editorial covering *why* he believes Safari has come to Windows.
A lot of subtle information like this gets around between sites off and on. Stuff like this is typically known in at least some circles for some time, and it isn't that much of a big deal to credit one source or another because most of us probably couldn't pin down where we first heard it anymore.
I've spoken with John Gruber in the past, he's even provided me with a script or two to help get some work done. I've been an incredibly satisfied member of Daring Fireball for close to three years now; I'm not out to scrape stuff from him and take credit for work or knowledge that isn't necessarily mine. This was just a case of rare info being called into action by a number of different sites.
Reply