Slashdot Mirror
Safari 3.1 For Windows Violates Its Own EULA, Vulnerable To Hacks
recoiledsnake writes "The new Safari 3.1 for Windows has been hit with two 'highly critical'(as rated by Secunia) vulnerabilities that can result in execution of arbitrary code. The first is due to an improper handling of the buffer for long filenames of files being downloaded, and the second can result in successful spoofing of websites and phishing. This comes close on the heels of criticism of Apple for offering Safari as a update for approximately 500 million users of iTunes on Windows by default, and reports of crashes. There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites." Further, Wormfan writes "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs." Update: 03/27 17:23 GMT by Z : Dave Schroeder writes with the note that the license has been updated to correct this mistake.
Sometimes it's just really not a good idea to push a piece of software out to hundreds of millions of people on its first release just because they use/update your other products. This is the real way that it could come back and bite them, and it certainly seems to have.
EULA's have gotten to the point that they conflict with themselves. One can then assume that Safari is intended for the Windows install on Mac machines, *or* on machines to which someone has applied an Apple brand sticker.
I am waiting for the EULA that requires all users to declare the programmer their god and send off their first born child to him in sacrifice.
Karma Whoring for Fun and Profit.
Can someone please explain to me how software could possible "violate its own EULA" (even theoretically, not necessarily restricted to this case)?
;)
I agree that the EULA makes no sense, assuming that Apple wants as many Windows users as possible to use Safari. But that's an entirely different matter.
In fact, the EULA can be adhered to without any problem: afterall, you can install Windows just fine on Mac hardware these days. So you can actually run Safari for Windows on "Apple labeled hardware".
I seriously doubt the way it is stated in the EULA is really Apples intention though
Every expression is true, for a given value of 'true'
Not that I dislike apple more now then I did before I RTFA, which is to say I have a fairly neutral view on them, but if you look at a lot of articles lately I do believe that in general, they are a little less liked now then they were when they initially released the iPod.
Anyways, going back to the article, I think the EULA is just a mistake and believe they will correct it. It does however bring up a valid point about the usefulness and legalities around EULA's.
The EULA issue is a red herring. The real problem is they pushed Safari to everyone who has iTunes. Most individuals who are not tech-savy will install Safari, given the option.
If Safari becomes the default browser on these systems, you end up with critical vulnerabilities in a browser installed on non-tech-savvy individuals' computers.
Help! I'm a slashdot refugee.
You are mistaking "signature" and "agreement." Signatures are not a prerequisite to a valid contract, they are merely very good evidence of agreement. You can get out of some contracts you signed and you can be held to some contracts you didn't. The lack of a signature is not the reason EULAs are of questionable enforceability.
Also, if you do choose to buy an ipod, you don't have to use itunes.
You don't even have to use apple-firmware in your ipod. There's an upgrade-firmware that makes itunes totally obsolete.
It's not available for all ipod-models yet though...
All in all, though, an installer that offers the option of installing irrelevant software (like installers that offer "google toolbar" or "Safari" or "superduper spywareinstaller") should have that option unselected as default.
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
Anyone who installs Apple software had better be prepared to join the cult, otherwise stay the hell clear of it.
SJW: Someone who has run out of real oppression, and has to fake it.
Apple has gotten where it is almost exclusively by taking the low road, with borderling false advertising and Microsoft-style tactics. They originally make an excellent product (MacOSX, Ipods, etc), get a name from it, then push it further using the low road. Its always been that way. If you're going to move away from Microsoft because of shady marketing as one of your primary reasons, stay clear from Apple. Jobs makes Balmer look like a saint in that department.
It is just a oversight. They forgot to change the EULA, that is all. They are not going to be branding anyone a criminal or taking out cases against people for using Safari on Windows. Don't be such a cock. What is worse is that idiots like yourself are deflecting attention from the real problem of the security issues. Your analogy suck donkey balls but what is Slashdot without stupid analogies.
The security issues isn't the real problem here, all software has them from time to time. I'm sure there will be an update soon. But the real problem is Apple pushing unrelated software to people who bought an iPod. They need to stop doing that now.
Windows is a free for all platform, companies decide by themselves how pushy they can be. And Apple has crossed the line by a wide margin.
MS should have better guidelines, and an integrated updater for third party software. Only then will moves like this be resolved.
If Safari becomes the default browser on these systems, you end up with critical vulnerabilities in a browser installed on non-tech-savvy individuals' computers.
So first we have to have a user who is unaware of what Safari is or careless enough to not uncheck the box in Apple Software Update. It seems highly unlikely to me that many of the users who download Safari without thinking about it are going to go looking for it in the Programs menu and launch it. And it's not vulnerable if it's not running.
It was silly and wrong for Apple to leave the box checked by default, but this is not a big problem, and it's not going to become one.
Oh blow me. Can you imagine the shitstorm of a comment thread that would result from this exact same thing being the result of MS's doing? The massive gaping security hole *is* a big deal, it is not made less so just because Apple did it and not MS.
And what the hell are you talking about with MS giving guidelines? You mean like, MS should give you guidelines on what you should and should not do with your PC? Dude, seriously, where the hell did you come up with your ideas?
I hate printers.
Judge Easterbrook's decisions in general, and ProCD specifically, are regarded as highly persuasive authority.
Especially in the case of boxed, purchased software, I gained the right when I gave the store clerk money in exchange for that software. In fact, since up until the point that I click "I Agree" to some ignorable EULA I haven't even given the illusion of agreeing to anything, it's my right to hack out any objectionable code (such as that EULA dialog). That's because I own that copy of the software.
Dewey, what part of this looks like authorities should be involved?
Safari is marketed as the perfect browser for Windows, without flaw, without question. They have the gall to assume that everyone who uses iTunes would prefer Safari simply because it has an Apple logo on it.
And when Safari falls victim to Security vulnerabilities just like every program out there, those of us who know what we're talking about don't blame Apple for their complete incompetence as programmers. Security vulnerabilities happen. It's the way of programming. It's virtually unavoidable. Yet fanboys turn around and say Apple isn't obligated as a company to produce secure software and back up their own marketing hype simply because Windows is a crap platform. It sickens me. And they get away with it.
The Computations of AdamR
http://www.adamreyher.com
Look at it another way. You have a Mac, and you run Office. Somewhere during the routine update process, some new, not-ready-for-primetime version of IE gets installed and is set as your default browser.
The issue is in part that Safari is not related to iTunes or Quicktime. There's no reason to believe that by installing music software, the manufacturer will also push a browser to you.
All this will do is piss people off and make them turn off automatic update options, which will eventually result in some flaw in iTunes or Quicktime being less widely patched. It was not a capital crime, but it was dumb and irresponsible of Apple.
And the EULA thing is just funny. What with the ample fleet of lawyers they have in Cupertino, I'm surprised ANYTHING gets out without a full legal vetting. Software gets out with bugs, but EULAs don't typically get out without great scrutiny.
It is pitch black. You are likely to be eaten by a grue.
All I want to do is update QuickTime on my XP box. I need it because of the .mov and .qt files it won't play otherwise. QT tells me there's a new update I must install, but the ONLY WAY Apple will provide me this update with bundled with iTunes which I DON'T HAVE and DON'T WANT!
It's never a good idea to install software you have no need for (I'm one of the remaining 27 people in the world without an iPod), don't want (the software, or the iPod), and don't know how avoid without just not updating in the first place.
Why the hell does Apple think I need an iTunes update just to update their buggy QT?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Seriously, people give MS a bad rap these days, but any exploit you're going to see in their software these days usually takes advantage of complex system interactions or odd exception throwing.
That's because Microsoft's "Active Content" security model, introduced in 1997, pretty much created the 'complex system interactions' vulnerability ecosystem. Before then the whole idea that an application that displayed untrusted content would provide a path for that content to execute code with full local user privileges was inconceivable. It was a joke, literally, the basis for the joke "Good Times" virus hoax was the idea that there would EVER be a way for an embedded virus to be launched automatically by email software.
Microsoft has its own problems with buffer overflows, for example this recent one, but if they only had buffer overflow issues there wouldn't be the kind of virus problem there is now. Because when you fix a buffer overflow you're fixing a bug. When you fix a 'complex system interaction' problem, you can't usually fix the underlying cause because there's other legitimate software that depends on that cause... so all you can do is add new checks. Which means that variants of the original exploit, possibly using a different avenue of approach to the underlying vulnerability, still remain.
So Microsoft is between a rock and a hard place. Every check they add has the possibility of breaking legitimate content. So instead of preventing the dangerous interaction, they pop up a dialog and ask the user if they really meant to do whatever caused the dangerous interaction to happen. Which pisses users off, and trains them to answer "yes" to "I'm about to do something stupid and dangerous" dialogs.
When web comics about fuzzy animals are making fun of this problem, you know things are getting bad.
CATS wants to execute 'setupbomb42.dll'. As a result you may have no chance to survive make your time. Allow (yes) (no)?
And the really annoying thing is that Firefox (with XPI install through the browser) and Safari (with 'open "safe" files after downloading') have started to follow Microsoft's path of setting users up the bomb and then popping up a dialog asking if they want to detonate. Luckily Apple finally turned 'open "safe" files' off by default, but they've kept the 'set us up the bomb?' dialogs anyway.
This space for rent.