Apple Safari On Windows Broken On First Day

An anonymous reader writes "David Maynor, infamous for the Apple Wi-Fi hack, has discovered bugs in the Windows version of Safari mere hours after it was released. He notes in the blog that his company does not report vulnerabilities to Apple. His claimed catch for 'an afternoon of idle futzing': 4 DoS bugs and 2 remote execution vulnerabilities." Separately, within 2 hours Thor Larholm found a URL protocol handler command injection vulnerability that allows remote command execution.

Re:shooting the messenger is now + 5 insightful?

[sitharus]

It's not present on Mac Safari, though the demo page does crash the Safari 3 Beta.

The main thing is how the URL handling works, under Windows Safari passes the URL to the Windows URL handler, which just finds the application and then dumps the rest on the command line, which gives many remote execution issues. Under MacOS the MacOS URL handler finds the application, and then dispatches an OpenURL AppleEvent (I think, similar to that anyway) towards the application, which then has the responsibility of parsing and loading the URL.

I'm guessing that the engineers didn't look too hard at how the OS deals with URLs and just assumed it would be safe.

Re:shooting the messenger is now + 5 insightful?

[Fordiman]

Offtopic:

I, like a lot of other web developers out there, wanted Safari for the purpose of adapting web pages to Yet Another Popular Browser's bugs.

So, what did I find when I downloaded Safari? The ridiculously useful debug menu was gone!

Now, all the docs on how to enable it are for Safari on the Mac, understandbly. What to do?

Kill Safari

Open C:\documents and Settings\[You]\Application Data\Apple Computer\Safari\Preferences.plist

Add, in what appears to be the logical place: IncludeDebugMenu1

Load Safari. Now developer-useful things like the Javascript Console are available to you.

Crashes Safari 3 on Mac OS X too

[eturro]

Thor Larholm's vulnerability example crashes Safari 3 on Mac OS X too.