Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari 3.1 For Windows Violates Its Own EULA, Vulnerable To Hacks

Posted by Zonk on from the you-have-chosen-poorly dept.

recoiledsnake writes "The new Safari 3.1 for Windows has been hit with two 'highly critical'(as rated by Secunia) vulnerabilities that can result in execution of arbitrary code. The first is due to an improper handling of the buffer for long filenames of files being downloaded, and the second can result in successful spoofing of websites and phishing. This comes close on the heels of criticism of Apple for offering Safari as a update for approximately 500 million users of iTunes on Windows by default, and reports of crashes. There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites." Further, Wormfan writes "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs." Update: 03/27 17:23 GMT by Z : Dave Schroeder writes with the note that the license has been updated to correct this mistake.

18 of 368 comments (clear)

  1. Acidity by n3tcat · · Score: 5, Funny

    So Acid 4 will include security tests too now, right?

    1. Re:Acidity by MooseMuffin · · Score: 5, Funny

      Yes. You pass if the website renders correctly. You fail if the website owns your machine.

  2. Re:It has begun... by Divebus · · Score: 5, Funny

    "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs." Damn! Now, where did I put those Apple stickers?
    --

    Most of the stuff on /. won't survive first contact with facts.
  3. I wonder... by Fenice · · Score: 5, Funny

    ...if Apple can sue itself for proposing illegal installs of safari on windows?

  4. I think you're not reading closely enough by hassanchop · · Score: 5, Informative

    "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs."


    I got Safari as part of the iTunes update. I have a non-Apple Windows machine, running Safari. They basically forced the software on me, and the EULA says I can't use it.

    Does that answer your question?
  5. Fine by me by asc99c · · Score: 5, Funny

    My iPod came with a big Apple sticker which for some reason I did stick on my PC. Guess I'm OK to use Safari then.

  6. Re:Violating the EULA by ari_j · · Score: 5, Insightful

    You are mistaking "signature" and "agreement." Signatures are not a prerequisite to a valid contract, they are merely very good evidence of agreement. You can get out of some contracts you signed and you can be held to some contracts you didn't. The lack of a signature is not the reason EULAs are of questionable enforceability.

  7. You can stop ignoring them by hassanchop · · Score: 5, Interesting

    http://en.wikipedia.org/wiki/ProCD%2C_Inc._v._Zeidenberg

    "ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir., 1996), is a United States contract case involving a "shrink wrap license". The issue presented to the court was whether a shrink wrap license was valid and enforceable. Judge Easterbrook wrote the opinion for the court and found such a license was valid and enforceable."

    They've been held up in court. The issue isn't totally decided, with other cases dealing with more specific issues, but your "nah nah nah MARY HAD A LITTLE LAMB nah nah nah" fingers in the ears stance may not be legally prudent.

  8. Re:It has begun... by AvitarX · · Score: 5, Interesting

    The EULA is not a red herring.

    People are having software that they have no license to use being automatically installed on their systems. I would think a term like that is not valid (non-obvious terms may not be valid in the US), but if it does hold, they will have millions of people in the US infringing on their IP. If they decide they are desperate and start suing (not likely any time soon) there are a lot of potential targets.

    This is like the RIAA giving away MP3s on their website, saying "you agree to listen to this on only RIAA approved devices". When you suddenly have millions of people acting innocently illegally using your product it is not good for them.

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  9. Profit? by crt · · Score: 5, Funny

    Step 1: Install Safari on millions of unsuspecting Windows PCs
    Step 2: Sue non-Mac owning PC users for violating EULA
    Step 3: ???

  10. Re:Violating the EULA by Kjella · · Score: 5, Informative

    Your EULA is fiction, and until I see one stand up in court I'm going to ignore it. I guess you better close your eyes and hum real loud then. I'm not saying it's universal, but to take a few examples from the wikipedia page in Brower v. Gateway "the Supreme Court of New York ruled that the terms of the shrink-wrapped license document were enforceable because the customer's assent was evident by his failure to return the merchandise within the 30 days specified by the document." And regarding click-wraps: "Click-wrap licenses have met with more support in the courts, though notable counterexamples exist. In ProCD v. Zeidenberg, the license was ruled enforceable because it was necessary for the customer to assent to the terms of the agreement by clicking on an 'I Agree' button in order to install the software."

    The whole section on enforcability starts with "The enforceability of an EULA depends on several factors, one of them being the court in which the case is heard. Some courts that have addressed the validity of the shrinkwrap license agreements have found some EULAs to be invalid, characterizing them as contracts of adhesion, unconscionable, and/or unacceptable pursuant to the U.C.C." If you read between the lines, it says "No court has rejected EULAs outright". If you're outside the US, it seems to be much the same. Yes, Germany declared the bundling with Windows to be unenforcable, but the EULA as such still remains. In short, you're talking about the way you want it to be not legal reality except possibly in Kansas where there was a ruling agreeing with you.
    --
    Live today, because you never know what tomorrow brings
  11. Yet more proof by an.echte.trilingue · · Score: 5, Funny

    Yes. You pass if the website renders correctly. You fail if the website owns your machine. Yet another "standards" test designed to make IE fail. This is just more proof that the W3 has it out for Microsoft.
    --
    weirdest thing I ever saw: scientology advertising on slashdot.
  12. Re:It has begun... by grahamd0 · · Score: 5, Funny

    If Safari becomes the default browser on these systems, you end up with critical vulnerabilities in a browser installed on non-tech-savvy individuals' computers.

    Good god, man! We've got to get them back on Internet Explorer!

  13. Re:It has begun... by Zonk+(troll) · · Score: 5, Informative

    Considering Apple's notorious heavy-handedness in their software updates and the aggressive way their software "takes over" your computer when installed, I wouldn't install a piece of Apple software on my computer if you put a gun to my head (I'd as soon install Realmedia player). I used to put Quicktime on my system, but I got so tired of putting up with that sneaky turd (would NOT let you completely uninstall it, insisted on always running in the background no matter what you did to stop it, would try to sneak its way back into your registry even if you deleted its entries, aggressively took over neutral file types, would constantly try to trick you into installing iTunes too, etc.) that I finally refused to even install that much (I use "Quicktime alternative").


    Anyone who installs Apple software had better be prepared to join the cult, otherwise stay the hell clear of it.

    I agree with that, but if you need Qucktime support in, say, an organziation there is a way around that without using Quicktime Alternative.

    Download the installer. Run cabextract on it. You'll get the following files:

    AppleSoftwareUpdate.msi
    QuickTime.msi
    QuickTimeInstallerAdmin.exe

    Only install Qucktime.msi. Delete the others. Just do msiexec /qn /i Qucktime.msi.

    Then run this registry file:


    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"=-


    Make sure to delete the shortcuts so users can't bring it up. Doing it this way will let the browser plugins work, and also enable software that uses quicktime to work (lots of educational software uses it) without being hostile to your system. It will only take the quicktime file extensions this way.
    --
    "The Federal Reserve is a fraudulent system."--Lew Rockwell
    End The FED. -
  14. A buffer overflow? In 2008? Seriously? by pyrbrand · · Score: 5, Interesting

    Man, they're not even trying are they? This day an age, not only is there no excuse to ship with such a basic flaw, there's really no excuse to be programming in a fashion that would allow it. It's so easy to audit for basic overflows (at least on Windows) that it's silly. Even just compiling /GS with VC++ should protect you against a lot. Seriously, people give MS a bad rap these days, but any exploit you're going to see in their software these days usually takes advantage of complex system interactions or odd exception throwing.

    Apple should take a serious look at their coding practices and consider banning the use of unsafe CRT functions and using _s versions of any C functions their using (Visual C++ has them and they're part of the next standard) or at a minimum requiring audits of all raw pointers. Static analysis tools should also be mandatory and should catch most issues.(http://www.spinroot.com/static/)

  15. Re:It has begun... by eck011219 · · Score: 5, Insightful

    Look at it another way. You have a Mac, and you run Office. Somewhere during the routine update process, some new, not-ready-for-primetime version of IE gets installed and is set as your default browser.

    The issue is in part that Safari is not related to iTunes or Quicktime. There's no reason to believe that by installing music software, the manufacturer will also push a browser to you.

    All this will do is piss people off and make them turn off automatic update options, which will eventually result in some flaw in iTunes or Quicktime being less widely patched. It was not a capital crime, but it was dumb and irresponsible of Apple.

    And the EULA thing is just funny. What with the ample fleet of lawyers they have in Cupertino, I'm surprised ANYTHING gets out without a full legal vetting. Software gets out with bugs, but EULAs don't typically get out without great scrutiny.

    --
    It is pitch black. You are likely to be eaten by a grue.
  16. Re:It has begun... by mrbluze · · Score: 5, Funny

    Anyways, going back to the article, I think the EULA is just a mistake and believe they will correct it. It does however bring up a valid point about the usefulness and legalities around EULA's.

    Any EULA is basically saying:

    • This software is mine, so piss off!
    • If you use it, it's your stupid fault, so piss off!
    • You can't sue me but I can sue you, so piss off!
    • Oh, and by the way, piss off!
    --
    Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
  17. Re:It has begun... by recoiledsnake · · Score: 5, Insightful

    Good god, man! We've got to get them back on Internet Explorer! Though you meant it as a joke, for users on Vista, that could actually be a good thing. IE on Vista runs in a sandbox, so any code owning IE can only mess with the cache folder or something, and can do nothing to your system as well nor any thing to your user files like documents. Whereas, almost every other browser out there runs with the user permissions(not root or admin) by default(on all OSes, AFAIK), so that a compromise can result in viruses/keyloggers etc. that can run on startup, delete your user files/documents and/or email them to Nigeria whereas that's not simply possible with IE on Vista.
    --
    This space for rent.