Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Safari On Windows Broken On First Day

Posted by kdawson on from the bigger-they-come dept.

An anonymous reader writes "David Maynor, infamous for the Apple Wi-Fi hack, has discovered bugs in the Windows version of Safari mere hours after it was released. He notes in the blog that his company does not report vulnerabilities to Apple. His claimed catch for 'an afternoon of idle futzing': 4 DoS bugs and 2 remote execution vulnerabilities." Separately, within 2 hours Thor Larholm found a URL protocol handler command injection vulnerability that allows remote command execution.

9 of 595 comments (clear)

  1. Re:Maybe that's because... by gbulmash · · Score: 3, Interesting

    What makes me scratch my head... if these guys can find holes in a few hours, why can't Apple? It's not like these guys spent months to find some really obscure bug. They banged away with known attack vectors and got near-instant results. In a case like that, "it's a beta", particularly when it's been hyped at a big event, rings VERY hollow.

    IMO... If you release it quietly, so only the diehards are really pounding it, you can keep the "it's a beta" excuse. If you hype the release, you lose the excuse.

    - Greg

    --
    Start a happiness pandemic
  2. Re:He notes in the blog that his company does not by DA_MAN_DA_MYTH · · Score: 3, Interesting

    Maybe they should start paying for the world. Releasing buggy software and expecting people to QA it for you FOR FREE is insane. Maybe apple, microsoft, and the rest of these asshole companies should start hiring some decent testers. You fanbois can stop whining too, or are you offering to compensate these guys for bug testing your favorite lame software?

    Ah yes, giving away FREE software and expecting people to use it for FREE. In turn for that FREE use, if someone finds a bug it's absolutely ludicrous to expect them to report it.

    Now mind you I understand why they may be giving it out for FREE, probably so people can FREEly develop for the iPhone, widgets and browser.

    Maybe they should have created an IDE that wasn't FREE so you can pay for the tools to develop on their FREE platform, and use that money to pay for the QA department, so I can be FREE of you haters and your whining.

    --
    "It takes many nails to build a crib, but one screw to fill it."
  3. Re:He notes in the blog that his company does not by dfiguero · · Score: 3, Interesting

    What is it with the "Apple fanboi" phrase appearing on every Apple article. I don't use Macs at all and I'll probably won't use Safari as I'm pretty happy with FF and I don't see a reason to switch ATM.

    However, I'll agree that the attitude this researcher has is terrible. For starters how do we know he actually discovered all these vulnerabilities? I could claim I discovered some too and I won't disclose them. Secondly, why wouldn't he share the information with Apple, why bother discovering all these vulnerabilities in the first place? It's not like he's a black hat (AFAIK) so the only other reason I see is the attention you get from such comments.

    Besides I'm sure some people will gladly help Apple test their _beta_ browser. I'm all for more competition on the browser space, put some pressure on all players so they produce better stuff.

    --
    My penguin ate my sig
  4. Re:shooting the messenger is now + 5 insightful? by sitharus · · Score: 5, Interesting

    It's not present on Mac Safari, though the demo page does crash the Safari 3 Beta.

    The main thing is how the URL handling works, under Windows Safari passes the URL to the Windows URL handler, which just finds the application and then dumps the rest on the command line, which gives many remote execution issues. Under MacOS the MacOS URL handler finds the application, and then dispatches an OpenURL AppleEvent (I think, similar to that anyway) towards the application, which then has the responsibility of parsing and loading the URL.

    I'm guessing that the engineers didn't look too hard at how the OS deals with URLs and just assumed it would be safe.

    --
    --sitharus
  5. From here @ WWDC... by catdevnull · · Score: 4, Interesting

    From what I can tell, Apple is jumping on the consumer bandwagon (or trying to)--it seems they're trying to increase the Webkit install base to raise the "awareness" factor for iPhone's web engine. From the sessions I went to today, it seems Apple is really pushing for Web 2.0 development. I was surprised by this--for a developer conference specifically for Apple's OS, there was this weird, eerie spell cast by the presenters for pushing web apps.

    The vibe amongst the attendees is a weird mix of disbelief and bewilderment. Safari for Windows was not the big deal Steve was hoping it would be. In fact, most of the conversations I've overheard are pretty critical of this direction.

    I don't think Apple is serious about competing for market share against FF or IE on Windows. I think they're offering the development platform based on Webkit so that web developers can make sure their code looks OK on the iPhone. Webkit-iness seems to be the only development platform for iPhone Apps.

    Or, maybe Steve is starting to drink his own Kool-Aid.

    --

    I might know what I'm talkin' about, but then again, this is Slashdot...
  6. Re:shooting the messenger is now + 5 insightful? by Fordiman · · Score: 5, Interesting

    Offtopic:

    I, like a lot of other web developers out there, wanted Safari for the purpose of adapting web pages to Yet Another Popular Browser's bugs.

    So, what did I find when I downloaded Safari? The ridiculously useful debug menu was gone!

    Now, all the docs on how to enable it are for Safari on the Mac, understandbly. What to do?

    Kill Safari

    Open C:\documents and Settings\[You]\Application Data\Apple Computer\Safari\Preferences.plist

    Add, in what appears to be the logical place: IncludeDebugMenu1

    Load Safari. Now developer-useful things like the Javascript Console are available to you.

    --
    110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
  7. The entire UI is broken by DrXym · · Score: 4, Interesting

    Every single dialog box and effect is Aqua style. Even though both OS X and Windows XP / Vista have theme engines meaning there should be absolutely no reason at all for doing this. The engines allow apps to render their controls in the native style irrespective of how they are implemented. It's why Firefox in its default skin looks like a Windows app on Windows, like a Mac app on a Mac and so on - because rendering is handed off to the theme engine. Same happens for Java too. But not Safari it seems.

  8. Crashes Safari 3 on Mac OS X too by eturro · · Score: 5, Interesting

    Thor Larholm's vulnerability example crashes Safari 3 on Mac OS X too.

  9. Re:He notes in the blog that his company does not by LKM · · Score: 3, Interesting

    I'll bite. Maynor described vulnerabilites. Maynor immeadately goes public with Mac vulnerabilites because he (in the past anyway) has claimed that Apple has ignored private disclosures. I've has exactly the same experience (many years ago) so I can support him on this point

    Looking at changelists for bugfix releases of Mac OS X, Apple regularly fixes non-public vulnerabilities and credits the people who found them. They do downplay these issues, and some managers from Apple have publicly lied about vulnerabilities in the past, but they do fix them pretty quickly and give proper credit.

    For all we know, Maynors own account of his issues with Apple bear little resemblance to what really happened.