Slashdot Mirror
Apple Safari On Windows Broken On First Day
An anonymous reader writes "David Maynor, infamous for the Apple Wi-Fi hack, has discovered bugs in the Windows version of Safari mere hours after it was released. He notes in the blog that his company does not report vulnerabilities to Apple. His claimed catch for 'an afternoon of idle futzing': 4 DoS bugs and 2 remote execution vulnerabilities." Separately, within 2 hours Thor Larholm found a URL protocol handler command injection vulnerability that allows remote command execution.
report vulnerabilities to Apple because he is a total fsckwad loser attention hound.
Thanks for the news about the vunerabilities, Paris Maynor.
guns kill people like spoons make Rosie O'Donnell fat.
... it's a beta version.
Bugs in the first public beta release!
:/
Who would've thought it!
Incidentally, it doesn't seem to like authenticating proxies at all, so my first experience with it was a bug too
However, making a big deal of, but not reporting bugs found in a beta release of something seems more than a little silly.
Advanced users are users too!
I'm not surprised. Apple really doesn't write more secure code, they just have a lower market share and thus aren't as much of a target.
And alot of their success at security on Mac OS is just them inheriting some of their security from the BSD kernel which I'm positive beats the hell out of the Windows kernel in terms of security.
The quote is "an afternoon of idle _fuzzing_". As in fuzz testing.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
From wikipedia -> http://en.wikipedia.org/wiki/Software_release_cycl e#Beta , this is a prototype / preview / early access.
Report the bugs and they will probably get fixed.
I'm amazed that things like this get to the story line on /. .
Only 'flamers' flame!
Does slashdot hate my posts?
Make sure your current copy of Safari is still in /Applications/. The beta won't install otherwise.
Remote code execution 2.5 times faster than FF on windows!
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
I was actually looking forward to try this browser out, but to my surprise, I could not even make it work.
The installation was smooth without any unexpected bumps on the road. First when I loaded the program, I noticed that no menu fonts nor any fonts whatsoever on the web pages existed. To make it worse, the browser would crash every time I clicked on anything with interactivity, such as the stop button. I have read quite a few solutions to this problem but so far no success. I run Win XP SP2, btw.
Anyway, there are more problems around the corner. According to the Apple forum, people can't play Windows Media files, dual monitor support is very buggy, some buttons screw up the GUI when pressed down and dragged, loads of spontaneous lockups, random letters appearing everywhere, installation problems, parental control issues and more.
Also, I am not a big fan of customized GUI:s for crucial applications like a web browser. We should be able to use Windows ClearType instead of the ported OSX version (which sucks), and most importantly, we should be able to use the standard Windows themes. I don't get why Apple thinks the average Windows user would want a significantly altered browser that looks nothing like the rest of the operating system he or she is using. How would Mac users react if Internet Explorer was ported with the Windows theme?
I think it looks like a promising project, but I am worried because it's not in Apple's nature to release beta software with so many bugs and so little heart put into it.
Full Tilt
..."that you should expect bugs in a BETA"
Come on. You have to admit remote execution of any cmd is pretty bad even for a beta. This ain't your run of the mill bug, like a UI glitch or rendering type of bug. It makes the beta unusable and thus not a very useful beta. (Unless you're testing how your own trusted website looks under Safari.)
Camping on quad since 1996.
Apple includes CoreFoundation.dll and CoreGraphics.dll, which have the same exports as the OSX frameworks.
Therefore it's possible to use the OSX CoreFoundation and CoreGraphics headers to link to the Windows DLLs natively and create native Windows "psuedo-OSX" apps.
I believe CoreFoundation.dll has been around with WebObjects for Windows NT for a while, but I think CoreGraphics.dll is a new Apple "release" (I remember some anger over Apple not porting CoreGraphics when WebObjects/NT first came out).
I've documented some of what I've poked around today (just a screenshot and simple description for the moment) at http://pages.brianledbetter.com/
... but the first thing that I thought of was that here you have an app (Safari) that works perfectly fine on Macs; as soon as it gets ported to Windows, BAM, instantly full of vulnerabilities. Would Apple go so far as to break their own product to deface an opponent in the OS arena?
Aikon-
I wonder how many of those vulnerabilities are actually Safari/KHTML code and how many of those are Windows vulnerabilities.
IIRC, Firefox had that "URL protocol handler command injection" vulnerability (or something around those lines, correct me if I'm wrong) a few years ago and FF developers said it was the way Windows handles protocols. In the end, they had to change the way URLs are handled inside FF to prevent Windows from catching it.
These things are worth a lot. Spammers, governments, mobsters... all will pay. You even get your choice of payment method:
*euros
*credit card numbers
*yuan
*underage virgins
*dollars
*shekels
*death to your enemies
*rubles
*pounds, British money
*pounds, crack cocaine
Just be sure to not rip off the buyer. Most of the buyers have nasty ways to kill you. Some of them have polonium. Some of them have penis pills.
They release a beta of a free product, the engine of which (and almost certainly where these bugs are located) is open source, and this "security researcher" finds a bug and refuses to report it. Deep throat he's not.
Mac: Hello, I'm a Mac... ...and I'm a PC.
PC:
Mac is looking through a small viewfinder, looking very absorbed
PC: Hey Mac.
Mac: Yeah?
PC: What are you doing?
Mac: I'm browsing the internet with Safari.
PC: I do the same thing with IE.
Mac: You should try Safari. It's fast, secure, and easy to use.
Mac hands the viewfinder to PC
PC: Oh, thanks.
PC looks into the viewfinder and keels over, dead
Mac shrugs
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
Google.com takes 45 seconds to load. CNN.com, several minutes for just the text to load (haven't seen any images yet), I have yet to see the safari home page fully load. It has now been about 8 minutes since i started the browser and the home page is still loading and has a blank screen. OK CNN just finished loading 12 minutes later. Slashdot, about 2 minutes for just the text, and about 5 minutes for the whole page. (And yes, i've tried restarting/rebooting several times)
This is all on a 7 mbit cable connection, using Firefox, CNN.com, or mostly any other page for that matter, takes about 3 seconds or less to fully load, including all the flash animated ads. So figuring there must be something wrong with my PC, I install safari on my laptop. Nope! Same results. I upgrade ITunes, thinking there might be some strange dependency on the latest version of quicktime, but no difference. I disable my (software) firewall, and antivirus.. and again nothing.. still watching the grass grow faster than the page loads... Anyone else experience this?
For what it's worth - I discovered the proxy feature is broken. Once you enter your user name and password, the browser crashes (Windows XP).
Need an ISP in South Africa?
That is the responsibility they undertake, yes. They may or may not understand all the ins and outs, but it's their responsibility.
Based on the blog posting, they STILL don't know what's "in for them," since the vulnerabilities are still undisclosed. They remain in Maynor's to do list, for sale to the highest bidder for all we know.
If you're a linux or MS supporter, don't waste your breath defending this guy. He wasted a year of everybody's time on that Airport vulnerability that didn't exist.
Don't blame me, I voted for Baltar.
For a browser, to have "easily" testable major bug like remote execution, something which should have been caught a bit before. I disagree totally with the way this security "researcher" handled the bugs, but I also totally disagree taking off the slack because this is a beta. Bug found so quickly by testing a few known vulnerability in browser is something bad. With a big B. Smell of lack of security testing pre-beta.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
I didn't say he shouldn't report that there's a bug, I said that he should report the bug to Apple. The beta agreement probably requires that he do that, actually.
And if you're installing a beta then yes, you really should be aware that you're in for some bugs. It's very unfortunate that Google has diluted the meaning of "beta" so much.
Also note that he's not really failing to report a bug to Apple, he's failing to report it to the webkit/khtml open source project. I doubt very much the bugs are in Apple's closed source GUI front end to webkit.
I doubt URL handling is part of the KHTML/KJS renderer; responsibility for acquiring content in Konqueror is done in KIO, so Apple would have had to implement their own content acquisition scheme.
It is possible that the stack failure is in (KHTML/KJS)/WebKit - but as it's not been shown that these bugs apply to either Konqueror or Mac Safari, it's most unlikely that the stack failures are the result of the open portion of the code.
Anyway, as a news story, this is a null set; it's a public beta. It's there for the public to test it and report bugs. It's not a production browser.
I'd be curious, however, to see if these bugs are Windows-only (for example, Mac OS-X and KDE have a URL handling scheme built into the OS that wouldn't be available in Windows; it would need to be implemented as part of Win Safari), or if they apply equally to Windows and Mac.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
This just in, nasty bugs were quickly discovered in the public beta of a newly ported app. Disappointment of outrageous expectations has now led to the death of several men living in their mothers' basements.
It is assumed Apple realized this devastating "beta" because they hate freedom and want the terrorists to win... and they've now won.
We will try to stay on top of this developing critical story.
My god have mercy on us all.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
The messenger says something along the lines of:
"The Trojans are going to attack tonight. There'll be at least five cohorts, but I can't tell you where there coming from, or the time of the attack, because you know, that'll spoil all the exciting fun."
It's not present on Mac Safari, though the demo page does crash the Safari 3 Beta.
The main thing is how the URL handling works, under Windows Safari passes the URL to the Windows URL handler, which just finds the application and then dumps the rest on the command line, which gives many remote execution issues. Under MacOS the MacOS URL handler finds the application, and then dispatches an OpenURL AppleEvent (I think, similar to that anyway) towards the application, which then has the responsibility of parsing and loading the URL.
I'm guessing that the engineers didn't look too hard at how the OS deals with URLs and just assumed it would be safe.
--sitharus
From what I can tell, Apple is jumping on the consumer bandwagon (or trying to)--it seems they're trying to increase the Webkit install base to raise the "awareness" factor for iPhone's web engine. From the sessions I went to today, it seems Apple is really pushing for Web 2.0 development. I was surprised by this--for a developer conference specifically for Apple's OS, there was this weird, eerie spell cast by the presenters for pushing web apps.
The vibe amongst the attendees is a weird mix of disbelief and bewilderment. Safari for Windows was not the big deal Steve was hoping it would be. In fact, most of the conversations I've overheard are pretty critical of this direction.
I don't think Apple is serious about competing for market share against FF or IE on Windows. I think they're offering the development platform based on Webkit so that web developers can make sure their code looks OK on the iPhone. Webkit-iness seems to be the only development platform for iPhone Apps.
Or, maybe Steve is starting to drink his own Kool-Aid.
I might know what I'm talkin' about, but then again, this is Slashdot...
Perhaps you, yourself, should have looked up the definition, ye lazy & bilesome rapscallion!
Offtopic:
I, like a lot of other web developers out there, wanted Safari for the purpose of adapting web pages to Yet Another Popular Browser's bugs.
So, what did I find when I downloaded Safari? The ridiculously useful debug menu was gone!
Now, all the docs on how to enable it are for Safari on the Mac, understandbly. What to do?
Kill Safari
Open C:\documents and Settings\[You]\Application Data\Apple Computer\Safari\Preferences.plist
Add, in what appears to be the logical place: IncludeDebugMenu1
Load Safari. Now developer-useful things like the Javascript Console are available to you.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
Slashdot stripped my XML. The line to add is, IncludeDebugMenu1
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
It's very unfortunate that Google has diluted the meaning of "beta" so much.
It's very unfortunate that the rest of the industry (especially MS) has diluted the meaning of "gone gold" so much. Gold is the new beta; beta is the new alpha.
Put identity in the browser.
No. But put it this way...
Let's say there's something built atop an open source library. Hey, there's plenty of them out there... let's pick OpenSSL as an example. It's open source and it's used in other projects, some of which are commercial or proprietary systems. Now assume that some company makes a proprietary, closed product built on that project as the core, but continue to contribute changes -- a heck of a lot of changes -- back to the original project as the develop. And then they release this as a beta.
Finally, let's say that someone finds a vulnerability in the proprietary project, a security issue with implications for the open source project. And instead of reporting the vulnerability to the proprietary folks (who would probably promptly generate a patch for both their tool and the underlying library, the person refuses to report the vulnerability to anyone and just says 'I found vulnerabilities, but I'm not telling you what they are.'
That's basically how WebKit/KHTML and Safari are tied together. Safari's just a UI atop an open source framework, WebKit, which Apple is the primary contributor to but which other people also contribute to, and which other projects (besides Safari and OS X) use. WebKit is used on Symbian OS, on Linux, and various other operating systems. And this guy is claiming to have found vulnerabilities which, given where they occur, seem to have implications for WebKit as well as Safari... and is refusing to give the details to either Apple, or to the WebKit development community.
You don't have to be an Apple 'fanboi' (or fangirl) to see that's not the way to handle security disclosures. If someone found several bugs in Firefox and said 'ZOMG I can crash Firefox or anything which uses the Gecko HTML engine. I can do it 100% of the time. But I'm not going to report the details to the Firefox team, so, nyah!' people would be up in arms about it.
Professional, good security researchers report things to the responsible parties, giving them the details necessary to fix it. Going, "Ha ha, I found a way to break your stuff but I'm not going to tell you how" is not only unprofessional, it's just downright immature.
Sure, lambaste Apple for releasing a beta/preview of something with bugs if you feel you must. But, please, don't bother trying to defend someone who basically makes a mockery of the entire security field.
--Rachel
Comment removed based on user account deletion
Steve Jobs wondered while introducing Safari for Windows: "How good are we at bringing apps to Windows?"
After reading "4 DoS bugs and 2 remote execution vulnerabilities", I'd say: "Pretty good!"
- Otaku no naka no otaku, otaking da!!!
I have tried the browser in Windows XP Professional SP2 and all works perfectly fine for me. The browser is quick and responsive.
:(
Now it may be a beta, but the browser seams VERY buggy, too buggy to be a beta (according to other peoples testimonies, not my own experiences). I think apple has missed out on a great opportunity to gain market share here becuase there will be many people who have tried the browser, had major issues, and now will never go back. Yes I know it is a beta! (preempting the hoards).
I also think that the product was rushed to market, and that apple would never have released the browser in this condition had it not been for WWDC 07. I think they just could not get it to the point they would have wanted in time. And I agree with those above who have said the browser exists mainly for testing iPhone Apps in. Time will tell if they made the right decision here.
I would sugegst to anybody out there to wait a couple revisions before really trialling this application unless you are going to use it to connect to trusted websites you already know, or looking to develop for the iPhone.
Now where is my developer copy of Leopard. We non attending Apple Developer Select Members always get made to wait a couple months
Every single dialog box and effect is Aqua style. Even though both OS X and Windows XP / Vista have theme engines meaning there should be absolutely no reason at all for doing this. The engines allow apps to render their controls in the native style irrespective of how they are implemented. It's why Firefox in its default skin looks like a Windows app on Windows, like a Mac app on a Mac and so on - because rendering is handed off to the theme engine. Same happens for Java too. But not Safari it seems.
Did they strip your Preview button too?
Or how about everyone stop treating their choice of operating system as a religion? Hmm?
I just read Slashdot for the articles.
That's a nice way to get karma! If you post a comment that you suspect is going to be modded insightful, remember to include some errrors, so you can post a correction and get some more positive moderation for the second comment! ;-)
(...waiting for this comment to be modded insightful)
Life is wet, then you dry.
Thor Larholm's vulnerability example crashes Safari 3 on Mac OS X too.
Pride goeth before destruction, and an haughty spirit before a fall. Proverbs 16:18
Quidnam Latine loqui modo coepi?
So when are you coming back for your second dose of moderation? Or do I get to steal them because I beat you to it? Informative surely *fingers crossed*
Strength through redundancy and over-design
Did you just really use the word rapscallion in a real world sentence?
Awesome.
An important change for education.
I think the company you're looking for is Mirabilus. Mirabilus diluted the meaning of Beta. Thanks for playing.
I hate grammar Nazi's.
not to be mean but
It's a friggin BETA!!!!!
it's supposed to have bugs in it.
besides it's not like IE where the bugs are in the shipping version and part of it's core design.
i thought once I was found, but it was only a dream.
May contain traces of nut.
Made from the freshest electrons.
Yes. Every application release ever by a large company was irresponsible. And why limit it to large companies? No software should ever have been released because they all contain bugs which could be exploited by hackers!
What Maynor does is absurd. We all know software has bugs. The developers must be held accountable. But you can't do that unless you tell them what the hell the bug is, because they can't fix the bug until you tell them what it is!
No, he was not.
Geez, if you really believe that whole Ou-invented idea that Apple somehow "orchestrated" a smear campaign against Maynor and got Dalrymple and Chartier to play along with them, you should stop reading zdnet and start reading a real news outlet. It's one of the most inane tech conspiracy theories I've ever heard.
"Fangrrl", please!
Don't be such a nrrrd!
This guy's the limit!
*Every* time????
You might like to have a look at London's millenium bridge ( designed by one of the biggest Civil/Structural engineering firms in the world ) or Ronan point (to name just two of the famous ones) and reconsider that statement a little.
Don't you mean Mirabilis?
You're welcome.
Also, that should be "Nazis."
...you can release a public beta and have have thousands of publicity whores do top notch security analysis of your beta for free?
OS independent path (IE Vista-friendly): %APPDATA%\Apple Computer\Safari\Preferences.plist
And "no longer supported" is the new gold.
"The Adobe Updater must update itself before it can check for updates. Would you like to update the Adobe Updater now?"
Also, I would note that Quartz (which renders fonts on modern Macs) also use subpixel font rendering; MS merely did it first.
The differences in font rendering between Windows and Mac are due to other reasons, which I explain here
What's purple and commutes? An Abelian grape.
March 23, 2004, although the details of how or why elude me.
I like basketball!!1!