Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari 3.1 For Windows Violates Its Own EULA, Vulnerable To Hacks

Posted by Zonk on from the you-have-chosen-poorly dept.

recoiledsnake writes "The new Safari 3.1 for Windows has been hit with two 'highly critical'(as rated by Secunia) vulnerabilities that can result in execution of arbitrary code. The first is due to an improper handling of the buffer for long filenames of files being downloaded, and the second can result in successful spoofing of websites and phishing. This comes close on the heels of criticism of Apple for offering Safari as a update for approximately 500 million users of iTunes on Windows by default, and reports of crashes. There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites." Further, Wormfan writes "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs." Update: 03/27 17:23 GMT by Z : Dave Schroeder writes with the note that the license has been updated to correct this mistake.

18 of 368 comments (clear)

  1. I think you're not reading closely enough by hassanchop · · Score: 5, Informative

    "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs."


    I got Safari as part of the iTunes update. I have a non-Apple Windows machine, running Safari. They basically forced the software on me, and the EULA says I can't use it.

    Does that answer your question?
    1. Re:I think you're not reading closely enough by weicco · · Score: 2, Informative

      How are they to know the difference between Windows on a Mac and Windows on any other PC to determine whether to disable the 'bonus feature' or not?

      Quite easily. Ask WMI. It knows a lot of stuff going on and under your Windows setup.

      --
      You don't know what you don't know.
  2. You keep saying that word.... by Nursie · · Score: 3, Informative

    A naturalist is -

    "A scholar or student of natural history, the science of the natural world; see also natural science. It may also refer to a Wildlife enthusiast or a Conservationist"

    Not a naturist or nudist.

  3. Re:I already have this update... by SigILL · · Score: 2, Informative

    In all seriousness, excepting the spiffy Apple skinning, this is Firefox's illegitimate twin. Has anyone done a code comparison??? :P

    Yeah, and they found that it's based on Konqueror, not Firefox. Something that Apple widely acknowledges, too.
    --
    Error: password can't contain reverse spelling of ancient Chinese emperor
  4. Re:Violating the EULA by Kjella · · Score: 5, Informative

    Your EULA is fiction, and until I see one stand up in court I'm going to ignore it. I guess you better close your eyes and hum real loud then. I'm not saying it's universal, but to take a few examples from the wikipedia page in Brower v. Gateway "the Supreme Court of New York ruled that the terms of the shrink-wrapped license document were enforceable because the customer's assent was evident by his failure to return the merchandise within the 30 days specified by the document." And regarding click-wraps: "Click-wrap licenses have met with more support in the courts, though notable counterexamples exist. In ProCD v. Zeidenberg, the license was ruled enforceable because it was necessary for the customer to assent to the terms of the agreement by clicking on an 'I Agree' button in order to install the software."

    The whole section on enforcability starts with "The enforceability of an EULA depends on several factors, one of them being the court in which the case is heard. Some courts that have addressed the validity of the shrinkwrap license agreements have found some EULAs to be invalid, characterizing them as contracts of adhesion, unconscionable, and/or unacceptable pursuant to the U.C.C." If you read between the lines, it says "No court has rejected EULAs outright". If you're outside the US, it seems to be much the same. Yes, Germany declared the bundling with Windows to be unenforcable, but the EULA as such still remains. In short, you're talking about the way you want it to be not legal reality except possibly in Kansas where there was a ruling agreeing with you.
    --
    Live today, because you never know what tomorrow brings
  5. some comments by nguy · · Score: 3, Informative

    I think you should seriously consider Ubuntu: for all those things that people usually use a Mac Mini for (music, video, photos, web browsing, text processing, Skype, etc.), it's actually probably a better choice. Ubuntu supports more audio, video, and file formats, it's easier to keep updated, and all the applications are preinstalled. Oh, and Ubuntu will talk just fine to your iPod, and unlike iTunes, will let you copy both to and from the iPod.

    (I have a Mac Mini, an iMac, and several iPods, but I now mostly use my Ubuntu systems for everything)

  6. Re:I already have this update... by Dak+RIT · · Score: 2, Informative

    You're free to do one yourself if you want, since Safari's engine, WebKit, is open-source. It's kind of odd though that a "rip off" of Firefox would be scoring so much higher than it on the Acid3 (100/100 now as of the latest nightly), and (compared to FF2) on Acid2.

    You must not come here much, do you?

  7. Re:Hardly surprising by Jeff+DeMaagd · · Score: 4, Informative

    I call BS. I just uninstalled iTunes and there's no background process or anything like that running, and no executable remaining. Maybe the program should have offered to remove the program preferences in your account, but there's no binary there.

    That "spyware" service you refer to is just a notifier to open iTunes when an iPod is connected. That's all it does. It's hardly malicious, and it doesn't report to Apple what you do with your computer.

  8. Re:I already have this update... by Fenice · · Score: 2, Informative

    To be more precise, the html rendering engine (webkit) is based on khtml, which is the konqueror (default) built-in rendering engine.

    And whatever we can say about konqueror/safari, this branch of engines is generally considered to be well designed and standards compilant (khtml passed acid2 tests before gecko).

  9. Re:Violating the EULA by russotto · · Score: 3, Informative

    It's not even that. Microsoft have their way in that regard now. What you own is the media with a binary copy of the application/operating system. What you license by agreement to the EULA is the rights to then install and use that software as a running process (or processes) on compatible hardware.


    Sorry, but 17 USC 117 says that owning the binary copy already grants me the right to install and use the software.
  10. Re:It has begun... by TheoCryst · · Score: 2, Informative

    If Safari becomes the default browser on these systems, you end up with critical vulnerabilities in a browser installed on non-tech-savvy individuals' computers. Fortunately, simply installing Safari doesn't make it the default browser. I'm not saying that I support what Apple did, but I think that people are having a bit of a knee-jerk overreaction here.
    --
    Warning: Contents May Be Flammable. Keep Out Of Reach Of Children.
  11. Re:It has begun... by Zonk+(troll) · · Score: 5, Informative

    Considering Apple's notorious heavy-handedness in their software updates and the aggressive way their software "takes over" your computer when installed, I wouldn't install a piece of Apple software on my computer if you put a gun to my head (I'd as soon install Realmedia player). I used to put Quicktime on my system, but I got so tired of putting up with that sneaky turd (would NOT let you completely uninstall it, insisted on always running in the background no matter what you did to stop it, would try to sneak its way back into your registry even if you deleted its entries, aggressively took over neutral file types, would constantly try to trick you into installing iTunes too, etc.) that I finally refused to even install that much (I use "Quicktime alternative").


    Anyone who installs Apple software had better be prepared to join the cult, otherwise stay the hell clear of it.

    I agree with that, but if you need Qucktime support in, say, an organziation there is a way around that without using Quicktime Alternative.

    Download the installer. Run cabextract on it. You'll get the following files:

    AppleSoftwareUpdate.msi
    QuickTime.msi
    QuickTimeInstallerAdmin.exe

    Only install Qucktime.msi. Delete the others. Just do msiexec /qn /i Qucktime.msi.

    Then run this registry file:


    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"=-


    Make sure to delete the shortcuts so users can't bring it up. Doing it this way will let the browser plugins work, and also enable software that uses quicktime to work (lots of educational software uses it) without being hostile to your system. It will only take the quicktime file extensions this way.
    --
    "The Federal Reserve is a fraudulent system."--Lew Rockwell
    End The FED. -
  12. Re:It has begun... by Anonymous Coward · · Score: 1, Informative

    Absolutely incorrect. It will hide the icon, sure, but it still runs all its same shit. Just look at startup entries in the registry and processes running after you boot.

  13. Re:It has begun... by Garse+Janacek · · Score: 2, Informative

    The EULA is not a red herring. ... If they decide they are desperate and start suing (not likely any time soon) there are a lot of potential targets.

    Oh, come on. That's not just farfetched, it's ridiculous. First of all, the scenario you describe is impossible just because of the issue that they pushed this update out themselves. Even if they did become this "desperate" (because of people illegitimately using their free web browser? Well, whatever), no judge in the world would listen to a suit like that. But, more importantly, the point you really seem to be missing is that this is just a stupid goof on Apple's part. This wasn't an issue of "We only want Safari to run on Apple computers. Oops! We accidentally pushed it out to Windows users who should never have it -- we'd better sue to keep them from using it." It was "We want everyone to run / have access to Safari. Oops! We sent out the wrong EULA that doesn't apply to this group of people."

    As GP says, insofar as there is an issue here, it is one of security. The EULA issue serves to slightly reinforce how ridiculous click-through licensing is, but it is not an ominous sign of Apple's legal scheming.

    --

    I am the man with no sig!

  14. Re:It has begun... by MMC+Monster · · Score: 4, Informative

    To call rockbox an upgrade firmware is streching the truth a bit. Limited support for video, limited support for album art, and cluttered UI are real issues for individuals that want their players to "just work".

    Mind you, I last installed it about 4 months ago. I'll try again if people say it's much better now.

    --
    Help! I'm a slashdot refugee.
  15. Re:Violating the EULA by ari_j · · Score: 2, Informative

    Technically, those contracts aren't even implied, they are explicit. The terms beyond the price and quantity of the gum will be supplied by applicable law. In states within the U.S. that have adopted it, the Uniform Commercial Code, Article 2, will apply. Under UCC 2-201, the contract doesn't have to be in writing because it is for less than a certain amount (depending on the version of the UCC that the state has adopted; generally $500). Under 2-509, because you bought the gum from a gum merchant, the risk of the gum being lost to and act of God is the seller's risk until you take possession of the gum. Under 2-314, there is a warranty, among other things, that the gum is fit for the ordinary purposes of gum.

    An implied contract is one where the parties' behavior shows that there is a contract even though there is not an explicit agreement between them. When you buy gum, there is an explicit agreement when you communicate by putting the gum on the counter that you are offering to buy it for the stated price and the store communicates its acceptance by telling you "with tax, that will be 53 cents, sir." And implied contract would be if you picked up the gum, left 53 cents on the counter, and walked out of the store without any communication in either direction, and the store never bothered to chase you down over it.

    Subtle, but it's a pet peeve of mine. Don't worry - most judges don't know where explicit contracts end and implied contracts begin.

  16. Re:It has begun... by rwven · · Score: 3, Informative

    Apple has already responded and said the EULA statement was an oversight. It's fixed in the next release and it's not binding anyway.

  17. Re:It has begun... by watzinaneihm · · Score: 4, Informative

    Thats a great suggestion .. a minor nitpick ..
    "msiexec /qn /i Qucktime.msi " will run the msi with no UI at all.. replacing "/qn" with "/qb!" will do the same install with a limited UI. Atleast that way there is some indication that an install is in progress.

    --
    .ACMD setaloiv siht gnidaeR