Slashdot Mirror
Safari 3 Beta Updated, Security Problems Fixed
Llywelyn writes "Apple has released an update to the Windows Safari 3 Beta. According to Macworld the updates '...include correction for a command injection vulnerability, corrected with additional processing and validation of URLs that could otherwise lead to an unexpected termination of the browser; an out-of-bounds memory read issue; and a race condition that can allow cross-site scripting using a JavaSscript [sic] exploit.' It is available through either the Apple Safari download site or through Apple's Software Update."
It's about time! ;) What took them so long!
-Daniel
(but then again, we already knew that)
That should get more people looking to Macs on their next hardware upgrade.
Kevin Smith on Prince
In your butt.
Downloaded and tried to open websites in Chinese. The rendering is just horrible, unreadable and totally unacceptable. Texts are not where they should be. In this sense, this Safari is even not as good as IE 4, which could display such webpages well. I heard that, (didn't try), Safari could not open most webpages in non-western languages.
I for one welcome our sic cross-site JavaSscript overloards.
Has anybody been able to get Safari installed on Windows 2000?
I'm your average rabid Apple fan, but surely they had to have a fix at least this fast to keep from looking stupid. I doubt they'll be as quick in the future.
they haven't fixed all the vulnerabilities yet.
I went and downloaded Safari within hours of it being announced. I hate having to give out an email address just to get the download, and I hate even more having to uncheck several boxes to avoid downloading every piece of software Apple owns. I gave the browser about 10 minutes, it didn't impress me on page loading time, usability, or looks, and it's likely to just disappear and not make it back onto my machine the next time I reinstall Windows.
Just don't fill in that field. :P
Konqueror's Win32 release will be as big a disaster.
Apple still sucks and I still hate them and safari is terrible and I cant believe they released software with a security hole and so forth....
I cant believe that a bug in Beta software was such big news that the release of an update to that beta is news itself.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
Developing a browser for Windows will be quite a test for Apple and the Safari developer community. Is Apple trying to get a larger user community (even tens of percents), or just making it possible for web developers easily test their servers for Safari? In any case, if Apple can survive in this market, they are in an interesting position - partner with Google, and offer their own services for Windows users perhaps?
Now if they would just fix the problem that some people (including myself) are having where no text shows up anywhere in the application and you can't type in any of the text input fields (kind of hard to use a browser when you can't type in an address).
Let's see Micro$lop make fixes to Internet Exploder that quickly.
I ain't holding my breath on the Redmond crew, are you ?
Now can they make it not suck?
the COMMUNITY would have had it fixed
and fixed WAY faster copyleft knockoff $Apple$
I, for one, refuse to acknowledge the EXISTANCE of closed source browsers.
Live Free or Die
...is there for a reason.
Though I really would prefer vulnerabilities fixed asap, I can see the reason for Patch Tuesday, especially for non-0day exploits.
Safari 3.0.1, however, is just damage control.
Having Safari available on Windows removes the 'Apple Only' hardware requirement for any company who wants to develop Web 2.0/AJAX applications that run on the iPhone which opens Safari development to a much much larger pool of developers.
If you don't know what Cmd-Shift-1 and Cmd-Shift-2 are for, GTFO.
If you think Firefox is a decent Mac application, GTFO.
If you're still looking for the "maximize" button, GTFO.
If you don't know Clarus from Carl Sagan, GTFO.
Bandwagon jumpers are not welcome among real Mac users. Keep your filthy PC fingers to yourself.
Once Apple gets Safari for Windows to the point where it's very stable, I'll probably be recommending it to IE users. Yes, above FireFox and Opera. I use a Mac with FireFox, but most people don't need the extensions that FireFox offers, I love them, but your average user won't use them. What your typical end user wants: Simplicity, Speed, Security. IE offers simplicity, if Safari for Windows gets to the point where it's good (much better than it currently is) it will probably become my recommendation to your typical user....
Beau West - http://budgety.net/
does anyone else get the completely-unusable-font-version of Safari after they install? I had this problem with 3 and now with 3.0.1.
[an error occurred while processing this sig]
Safari test engineers don't seem to use real PC keyboards. They must be testing this only with Mac's running Parallels or something..
l -buggy
The previous version threw a Watson after typing four chars into a form. This "fixed" version comes with 400% quality degradation for us keyboard-oriented:
http://assemblix.net/2007/06/14/safari-3.0.1-stil
Keep up the good work, Cupertino!
"In Soviet Russia, Apple's Safari browser fixes YOU!"
Man, I love that joke, and... Hang on a second, there's someone at my door.
*SMACK!!!*
OWWWWWW!
This may be a stupid question, but every other tabbed browser I've used has a hotkey to switch between tabs. Generally, that's ctrl-tab. I can't find anything similar in Safari though, and that is a big deal breaker. Am I just missing something?
I'm glad someone finally defined what Web 2.0 is. It's Web 1.0 multiplied by the hype.
Apple seemed to have responded *awfully* quick to a security whole in their new SDK, almost as if it was a web browser vulnerability? But, it can't be a browser, that is not what people here said it was.
Oh bugger, nothing like a typo to totally derail snide commentary. That whole should be a hole. I hereby disqualify myself from making additional snarky comments for this thread. Enjoy!
Next tab: Ctrl-Shift-]
Previous tab: Ctrl-Shift-[
Fixing the security issues may help in keeping Apple from looking foolish, but security is not the real problem with Safari for Windows. The real problem with Safari for Windows that Apple should be putting focus on is the user experience.* It's horrendous. Slow window redraws, completely broken Windows conventions, a total lack of extensibility, and on and on.
As a web developer, I'm pleased as punch that they've released a Windows version of Safari that renders pixel-for-pixel the same as the OS X version (it really does, I checked). However, Safari on Windows is not even in the running as far as being a candidate as a full-time browser on Windows. The user experience is simply too painful.
* I didn't say they should not focus on security. They most definitely should.
First: complex software written for use on a wide variety of configurations WILL HAVE BUGS. I just don't see any way around it. This has nothing to do with competition. OS X in the past 2 months has had a huge number of patches, hasn't it? That too, with a BSD based kernel and a much smaller hardware base.
Second: Not every bug is a showstopper. Even if a bug is found after code freeze, it might be better to release a patch separately. You know, like those "errata" sheets of paper in books.
When a patch is released the vulnerability *has* to be disclosed! That means sysadmins would run around trying to keep systems up to date the whole month.
I agree that more out of cycle patches should be released for serious vulnerabilities that are being exploited, but I see nothing wrong with the Patch Tuesday method otherwise.
safari does not work well with my dual screen vista box. it works on screen 1, but when you maximize the browser on the 2nd screen, it disappears and cannot be minimized, only closed.
as for the point of having safari on windows... it is great for web developers. now I can stop running around trying browsers on different machines... if only IE6 were available for vista
Isn't it amazing how quickly Apple zealots come up with reasons why sucky Apple products were "never intended to compete anyway"? You guys have drunk so much cool aid, it has completely filled your head and colored your eyes rosy.
You cite "Patch Deployment Costs" as a reason...
That just begs the question:
Why are patch deployment costs on Windows so high? The only real rationale for this on the Wikipedia page you reference is "a patch issued by Microsoft would break existing functionality", and that's a matter of code, not physics constraints.
-- Terry
It still has a bug that makes the text blurry. Please let me turn off anti-aliasing!
No wait...
:-p
But maybe it's just as good to not have any sensationalist headlines to mislead you?
Beware: In C++, your friends can see your privates!
Agreed. In fact, bugs ARE due to sloppy code, in the OS, drivers or programs. BTW, what's the difference between a bug and an error? I've always called an error a bug. Vulnerabilities are a subset of bugs.
What I am saying is that bugs are an inescapable reality.
Apple delivers updates once monthly. So does Microsoft. What's the difference?
PS: I don't need an advertising agency to tell me what is correct.
Operating systems are complex beasts. It's not just in Windows where a patch has broken existing functionality. In fact, OS X has had this (patches broke wireless on many Apple Intel laptops not too long ago), and I really can't tell you how many times I've updated my Linux kernel (past) or installed an Ubuntu security update (present) and had some part of my computer's functionality disappear. The reason it appears to happen so much more often with Windows is simple: on the deskotp, Windows has 9 times the userbase of OS X and Linux, combined.
So patch deployment cost is high. With more machines (in more configurations) running Windows, testing patches to ensure that they won't break critical functionality is not only important--it's necessary. You don't want to deploy a patch company-wide, and all of a sudden have your entire company virtually shut down because of an unanticipated bug.
Also, begging the question does not mean what you think it means.
1. The absolutely huge number of configurations. Say, the coder of a driver didn't follow guidelines and used a hack (linked to, say, a vulnerability). A future update fixed the vulnerability and therefore the hack, but the device went kaput. Microsoft is of course partially to blame -- however they've got their act together now. They have a program going where if 500 or more Vista error reports are received for a driver, they would make it top priority to work with the manufacturer.
2. As I've mentioned in the discussion above, the release of a patch entails the disclosure of the vulnerability. If patches were released all of a sudden, exploits would be *guaranteed* to release the next day. So sysadmins would have to patch systems as soon as they are released. With a set schedule, at least he knows when he would be required to do so.
Think of the sysadmins, I say!
Not sure about the Safari application, but Webkit has been releasing nightlies for some time. At least on MacOS, they come in the form of an app that uses the local WebKit engine on the installed Safari UI.
That reminds me of the Ubuntu 6.06 update that actually broke X and dumped the user into a command-line! People claim to install Ubuntu on granny's computer to solve virus/spyware issues. Think about what granny would be thinking then. Things *will* break. There's just no way around it.
Calling them "bugs" is a way for us to avoid blame for making mistakes, either in the code itself or in the processes we use to plan and implement that code.
Calling an error a "bug" makes it sound like it could have crawled in there on its own. ("Gee, I don't know how that bug got in there. I'll fix it.")
It didn't just crawl in there on its onw, and its not a feature or a bug, its a mistake, pure and simple. And someone made it.
We (hopefully) learn from our mistakes. Labelling them "bugs" makes it less likely we'll take personal responsibility for them; hence more likely to make the same mistake the next time than if we were honest with ourselves and said "I screwed up - that's a mistake."
Sure, calling it a bug might sooth our egos (we don't have to admit we made a mistake - the program is just "buggy"), but really, are our egos that easily bruised that we can't own up to our mistakes?
Kevin Smith on Prince
Still waiting for that 'childlike sense of wonder' patch.
I install Firefox to anybody who asks. I also install the Adblock extension, and explain what it does. People are VERY receptive, so that when they use anything else than Firefox, they complain about the abundance of ads. Extensions can be very useful to the normal user, just need to educate them.
I've used it on Windows XP Pro. A friend has been using it on Vista. Neither of us can find a single thing wrong with it in 2 days of browsing (even to my bank, the acid test of browsers). The LA Times reviewer recommends it. ComputerWorld praises it. But here on Slashdot about all I see are people giving it a thumbs down. Am I seeing a bit of bias here? Someone direct me to a web page that Safari 3 on Windows XP renders horribly. Please, I wanna see.
If I didn't have absolutely NOTHING to do, I wouldn't be here.
You have three options when you download Safari:
Safari is not bundled with Quicktime unless you choose the first option
My main issues with the current beta are the lack of Proxy support, non standard UI. It also seems to break a lot of webpages that IE and Firefox display fine (check my website in Safari for an example - probably bad coding on my part). The upside though is it has a small memory footprint, faster, looks nice with my theme and improves my geek status.
I think it was about two years ago that Safari surpassed Opera's marketshare. It rapidly captured a majority of the MacOS segment, as people realized that Internet Explorer was a dead end, and newer Macs ceased to pre-install IE. After IE/Mac was pulled down from Microsoft's website, the older browser declined even faster.
These days, most stats give Safari 2-3 times Opera's percentage. Except for a few lists that still show lots of Netscape use, it's generally at #3 behind IE and Firefox
It's not so much that Apple wants developers to test their websites in Safari as much as it is they want to give Windows developers a WebKit platform in which to test web apps, since apps will be running in Safari on the iPhone.
"Sufferin' succotash."
One thing holding me back from testing it at all is that the most fabled "Font Smoothing" feature looks terrible on CRT's and makes all the letters look like BOLD fonts. I dunno about you guys, but it's much harder for me to read things if it's all in bold. :/
If administrators really wanted a special day to prepare for aggregate patches, they could accumulate released patches for themselves and do their own massive update on their own designated special day. They don't need Microsoft to schedule one for them. Some vulnerabilities are important enough that admins might purposely want to violate their schedule and install the fix, and admins should be given the choice to do that. Microsoft should release patches as soon as they're available and leave the install schedules up to the admins--it's their job.
"Sufferin' succotash."
Apple renders fonts to match the accuracy of the glyphs so that they resemble what they would look like in print, important for desktop publishing. Windows happily renders fonts inaccurately so that they're 1-pixel thin and packed into a pixel grid.
"Sufferin' succotash."
But for some reason, authentication to OWA sites doesn't work in Safari. I can get as far as entering my username and password... But then the browser just stalls. This recent update seems to fix my stability issues... but I still wish I had auto-scrolling..
This *still* crashes when authenticating to a proxy server on winxp. I'll keep downloading and trying... for a while.
http://kazehakase.sourceforge.jp/20031201.html
It can use almost every html rendering engine available to Linux. w3m, khtml, gecko, etc.
proxy settings are still broken and crashing when authenticating to any form of proxy.
That's what Fake Bill Gates said, too. Safari for Windows is a ploy to boost the share of the browser market belonging to standards-compliant web browsers. If they can get enough market share built up with FireFox 3 + Safari + iPhone + Nokia (WebKit based) then web sites conforming to randomly broken IE conventions will be compelled to modernize. The primary effect for Apple is that iPhone customers will find fewer and fewer web sites that don't work in their Safari browser. A secondary effect will be that Microsoft can no longer dominate the web with broken implementations of open standards.
I don't get the joke. Safari, for me, renders our supplier's website without any problems, which is a freakin' miracle. If you browse their products in IE or Firefox, it turns into a game of whack-a-mole, as trying to click on a hyperlink changes the page layout.
I hate Safari because the rounded edges mean that if you run your mouse up to the very top-right corner and click, you end up closing the window behind. That. Is. Awful. But for synnex.com.au, it's a godsend. Why is the parent modded funny? Am I funny?
Consciousness is a myth. Trust me.
No, Apple is already a solid # 3. I think what they really want is to gnaw an enormous chunk out of the Internet Explorer share, so that FireFox 3 in combination with Safari, will make up a significant fraction of the market, a fraction that will pass the ACID Test. Apple doesn't want people and companies to continue making hideous broken web sites that conform to the broken, defacto standards of IE. Fake Bill Gates agrees. How much better would the internet be if 1/3 of the browsers out there were ACID compliant? About 99% better, I'd guess. How much more rapidly can web technology evolve if there is a solid base of browsers readily supporting new, open standards? Twice as fast? Ten times as fast?
I am surprised that not a single slashdot comment that I can find is stating the obvious, which is that this is "wag the dog" kind of stuff.
The patch was released almost too fast, what's the odds that it was already written?
Think about it. Apple releases an essentially identical, standards compliant browser on both Mac and Windows. Then it turns out that it's a security problem on Windows because of the foolish way in which Windows does not validate the URL. They then release a patch less than 24 hours later that allows them even more media coverage, exactly on that point. At the same time they get kudos for responding so fast.
Now on the day of the release (well half a day anyway), the press is all bad. But then comes dozens of articles about the fact that the problem is actually with Windows, not with Safari itself. Apple then gets to point out this fact in spades by mentioning in the press release that it was "windows fault and if you were on the Mac there is no need to worry." How good is that?
To all those thinking Apple was embarrassed by the security flaws, your missing the bigger picture. A week from now no one will remember anything about that.
They will however remember that Apple fixed the "Windows problem" with Safari in less than 24 hours.
I think this whole exercise is a statement by Apple, a dig at windows specifically. They are not only showing Microsoft up by besting their best efforts in a browser, they are pointing out (again), that Windows is just less secure by design, as well as horribly non-compliant in terms of open standards. Even on the Mac, the main reason for Safari's existence has always been to promote the existence of open standards and open standard compliant browsers. What better illustration of that need could you get than this?
Another Hole Found in Just-Plugged Safari for Windows
i ndows.html/
http://securitywatch.eweek.com/apple/safari_for_w
A software developer released an update to a beta test?
THIS is real news. Thank you zonk, for not wasting people's time with pointless articles.
That will learn me for using a CRT monitor. Setting font smoothing option to "light", makes little difference. I want a "sharp" option. :-(
re: the lack of proxy. I installed it on my work pc (where any web access must go through the proxy) and it just worked. I'd assumed it had copied the proxy settings from IE/firefox, but perhaps it is actually accessing them from there each time it needs them (on startup? or page load?).
Close Safari first
Mac:
same as old safari - open a shell and run: defaults write com.apple.Safari IncludeDebugMenu 1
Windows:
Find this file:
wdrive:\Documents and Settings\username\Application Data\Apple Computer\Safari\Preferences.plist
And stick this in there:
<key>IncludeDebugMenu</key>
<true/>
before the >/dict<
Then open safari again. Should have the debug menu available.
If you can fix bugs in an application like WEB browser in one day means that Apple has brilliant programmers. Kudos to them. Or it could mean that QA fails to find trivial bugs.
It appears to access them at startup from what limited testing I've been able to do so far.
According to my manual of style 'Quoting bad grammar or classy drivel is allowed only if there's a legitimate reason to make the speaker look like an idiot.' (chapter 'style', entry 'quotation'), then it goes on to explain that you should correct spelling and grammar, if necessary. Also ''sic 'so it reads verbatim'. To point out a curiously or wrongly spelt word in a quotation, you can insert (sic). But remember that this can easily leave a pedantic impression.'' (chapter 'words') ISBN 90-417-0172-9
yep, still doesn't work here :D
http://www.howtocreate.co.uk/safaribenchmarks.html
Interesting reading.
/agree
... (of course I would prefer the editor to be emacs but it is good enough to be used).
...
You may mod me as a flamebait but overall I am very happy personally with Windows XP, I had no big crash after patching, not had much to tweak to get an usable system and Visual Studio 2005 is quite nice once you install some plugins
From an user point of view, I am quite impressed by their efforts over the last year to improve their corporate image
Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
Call it flamebait if you like but even beta software, given that it's a public beta, that doesn't give basic web browser functionality (proxies) is pure and utter garbage. If I try to get to a web page, Safari picks up the proxy from IE and prompts for username and password, and then promptly crashes when I enter them. If you try to turn proxies off, you quickly discover that you can't do that as the button to modify proxies is greyed out. In it's current state I can use Safari at work to look at web pages on my hard drive, but not for web browsing. There is no excuse whatsoever for this. Many users are behind a proxy, and it's not an optional extra. The people who insist it's buggy because it's on windows (conveniently ignoring all the software that does work well....or at least better than this shit) are idiots. This is an excellent way to turn potential converts to your browser off for good. I've uninstalled at work and won't be touching it at home. Thanks for wasting my time Apple.
These posts express my own personal views, not those of my employer
Lots of folk around here have been bemoaning the UI and Font Rendering, parent explains this very clearly
(I'm a javascript/css hacker and have already posted "tested in Safari 3.0" against various things on my site. Inc my AJAX framework
If you don't risk failure you don't risk success.
Why don't they release a version for linux? Oh, because apple are cunts.
I wrote my first program at the age of six, and I still can't work out how this website works.
Another take on the release was put up here: http://www.standandcount.com/index.php/safari-tops -1-million-downloads-10
The crux being PR loves download stats and two versions are better than one for that.
---- The geek shall inherit the Earth.
Doesn't fix my rendering issues. And it occurs on two entirely different computers. Am I the only one to get this?
You just got troll'd!
The problem with this "wag the dog" conspiracy theory is that the technical issue is too subtle. Apple's objective with Safari for Windows is not to use some clever media wagging stunt to convince the few dozen remaining Slashdot geeks who don't already think that Apple takes security more seriously than Microsoft. Their objective instead is to capture a chunk, a big, big chunk, say twenty or thirty percent of the web browser market for standards-compliant browsers. If they can swing it, with Safari for Windows, then the world will see a decline in web sites that support IE only. This will benefit Apple, of course, but it will benefit everybody else, too. Alternative web browsers of all types will find it easier to grow their audience base when web sites become standards-compliant, rather than IE-bug-compliant. Apple, I assure you, would have preferred that they ship Safari with zero defects.
If you mod me down, I shall become more powerful than you could possibly imagine.
Re:"I see nothing wrong with the Patch Tuesday method"
Except that those same sysadmins have a right to know that their boxes are possibly being rootkitted, so that they can do something about it, like disable possible attack vectors etc.
Shipping a buggy product and locking customers in are not connected in any of the four dimensions.
Look up "sunk cost fallacy."
Kevin Smith on Prince
Safari installs but does not run if your Windows XP username has international characters in it. For instance, if your username is José, and your application files get stored in C:\Documents and Settings\José, the app doesn't start up. If I create a username with no accents, however, Safari runs without any issues. This is exactly the type of problem that I had with Democracy Player about a year ago. What's with this lack of support for users with accented names? Has anyone found a way to get around this bug, other than removing the accents from their name?
I like apple right now, but crap is crap, it doesn't matter who produces it...
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I don't need a username and password to get through my proxy, though. Googling around, I see there's quite a few problems with proxy authentication support in various packages, as well as a variety of authentication schemes, so I wouldn't automatically classify authenticating proxies as "basic functionality".
It even works on Windows 2000 for those of us who have declined to upgrade to "spyware-enhanced" Windows XP and Vista.
If it was just a matter of security, I'd be using Safari on Windows anyway... but on top of that Safari redraws faster than IE and Firefox on Windows for me. There are some preferences settings relating to whether it should render while images are downloading, have you checked those?
I'm less happy about then wrapping it in the Mac-style window borders. Hopefully that's temporary.
The main problem I have is that you can't tell it to wait long enough for some pages that take a while to start coming up. You should be able to kill that timeout. But that's rare enough that one would call it "painful".
Sorry KDE dudes, KMelion just doesn't cut it. Safari owns KHTML on Windows.
Did anyone ever find out that some of the 'problems' of Safari, like it takes up huge resource, could be caused by an ad banner?
Few days ago I was on MacCentral reading an article "First Look: Safari 3 Beta" when I'd found that everytime when I was on that page, 95%+ of the CPU time has been drawn from my computer. Eventually I'd found that if I disable plug-ins, CPU usage of Safari dropped back to single-digit. And interesting enough, the ad that had not been shown up after I disabled the plus-ins was the Age of Empires III banner from Microsoft.
Although I'm still using an older version of Safari, it had been verified by other users running Safari 3 beta that the same problem occurred, and disabling plug-ins did 'solve' the probem.
My point is that, for some people that had found Safari hungry of resource, it not only depends on what web sites you're frequently visiting, it also depends on what ad banner those sites have been linked to. It's so easy to blame a web browser for not doing the job well when the internet is essentially a zoo out there that, beside the 'feature' of Safari like resizing, it's extremely difficult to pinpoint what causing it to fail. And it also explain some users found that one site is loading okay one day, and the same site freeze up the computer the other day. Also, other users found re-load the page seems solve certain problem...
To smmarize, if you find a site you are visiting is making your computer frozen, disable plug-ins from the Safari -> Preference -> Security tab, reload the page and see if it would 'solve' your problem.
P.S. Well, a day after I reply to the forum there, the Age of Empires III ad banner is nowhere to be seen in MacCentral. The Office for Mac ad there did not take up that much of my CPU time as the Age of Empires III ad did. It may not be part of a conspiracy theory, but anyhow I'd submitted a bug report to Apple already, in case it's not just a simple compatbility problem from Redmond...