Apple Safari On Windows Broken On First Day

An anonymous reader writes "David Maynor, infamous for the Apple Wi-Fi hack, has discovered bugs in the Windows version of Safari mere hours after it was released. He notes in the blog that his company does not report vulnerabilities to Apple. His claimed catch for 'an afternoon of idle futzing': 4 DoS bugs and 2 remote execution vulnerabilities." Separately, within 2 hours Thor Larholm found a URL protocol handler command injection vulnerability that allows remote command execution.

Re:shooting the messenger is now + 5 insightful?

[sitharus]

It's not present on Mac Safari, though the demo page does crash the Safari 3 Beta.

The main thing is how the URL handling works, under Windows Safari passes the URL to the Windows URL handler, which just finds the application and then dumps the rest on the command line, which gives many remote execution issues. Under MacOS the MacOS URL handler finds the application, and then dispatches an OpenURL AppleEvent (I think, similar to that anyway) towards the application, which then has the responsibility of parsing and loading the URL.

I'm guessing that the engineers didn't look too hard at how the OS deals with URLs and just assumed it would be safe.

From here @ WWDC...

[catdevnull]

From what I can tell, Apple is jumping on the consumer bandwagon (or trying to)--it seems they're trying to increase the Webkit install base to raise the "awareness" factor for iPhone's web engine. From the sessions I went to today, it seems Apple is really pushing for Web 2.0 development. I was surprised by this--for a developer conference specifically for Apple's OS, there was this weird, eerie spell cast by the presenters for pushing web apps.

The vibe amongst the attendees is a weird mix of disbelief and bewilderment. Safari for Windows was not the big deal Steve was hoping it would be. In fact, most of the conversations I've overheard are pretty critical of this direction.

I don't think Apple is serious about competing for market share against FF or IE on Windows. I think they're offering the development platform based on Webkit so that web developers can make sure their code looks OK on the iPhone. Webkit-iness seems to be the only development platform for iPhone Apps.

Or, maybe Steve is starting to drink his own Kool-Aid.

Re:shooting the messenger is now + 5 insightful?

[Fordiman]

Offtopic:

I, like a lot of other web developers out there, wanted Safari for the purpose of adapting web pages to Yet Another Popular Browser's bugs.

So, what did I find when I downloaded Safari? The ridiculously useful debug menu was gone!

Now, all the docs on how to enable it are for Safari on the Mac, understandbly. What to do?

Kill Safari

Open C:\documents and Settings\[You]\Application Data\Apple Computer\Safari\Preferences.plist

Add, in what appears to be the logical place: IncludeDebugMenu1

Load Safari. Now developer-useful things like the Javascript Console are available to you.

The entire UI is broken

[DrXym]

Every single dialog box and effect is Aqua style. Even though both OS X and Windows XP / Vista have theme engines meaning there should be absolutely no reason at all for doing this. The engines allow apps to render their controls in the native style irrespective of how they are implemented. It's why Firefox in its default skin looks like a Windows app on Windows, like a Mac app on a Mac and so on - because rendering is handed off to the theme engine. Same happens for Java too. But not Safari it seems.

Crashes Safari 3 on Mac OS X too

[eturro]

Thor Larholm's vulnerability example crashes Safari 3 on Mac OS X too.