Patch/Configuration Management, Vulnerability Management

Experts: Consider Safari security before deployment

Organizations considering deploying Apple's new Windows-compatible Safari should consider the security impact the web browser may pose, experts said today.

In a statement, Cupertino, Calif.-based Apple listed speed and performance as the main advantage Safari for Windows has over its competitors, namely Microsoft Internet Explorer (IE) and Mozilla Firefox. The statement contends Firefox loads pages up to twice as fast as IE7 and up to 1.6 times quicker than Firefox 2.

"We think Windows users are going to be really impressed when they see how fast and intuitive web browsing can be with Safari," Apple CEO Steve Jobs said in a statement. The company announced the new browser version at its annual Worldwide Developers Conference on Monday.

While the statement announcing the launch did not mention security as a selling point, even though Apple traditionally has marketed its products as superior in terms of safety, researchers did not waste time discovering flaws in the new Safari beta release. Errata Security announced Monday that it had discovered a DoS exploit.

John Pescatore, a Gartner vice president and senior fellow, said more bugs could be coming and enterprises considering adoption should pay attention.

"Apple does not have a great track record for the security of its code on anything except Mac OS X, and even that’s had a pretty good history [of vulnerabilities]. Certainly there are issues on how well-baked the security code is for Windows."

Andrew Jaquith, an analyst with Yankee Group, said he expects Mac exploits to rise but doesn't anticipate any serious problems with the new Safari browser.

"There's going to be a very small number of people that use it I suspect," he told SCMagazine.com.

The plus side is that Safari will now be available to the millions of Windows users, enabling more browser "heterogeneity" and choice for end-users, Pescatore said. Safari currently has an approximately five percent market share, while IE trumps the competition with an approximately 80 percent share, according to recent statistics.

"[The more browsers people are using] it makes the job of spyware writers that much harder," Pescatore said.

Microsoft agreed that offering users more options is the best idea.

"With hundreds of millions of Windows users, it's not a surprise that a company that makes web browsers would want it to work with Windows. We're glad our customers have a choice in browsers, and we think [IE7] is the best available," Kevin Kutz, director of the Windows Client group at Microsoft, said in a statement emailed today to SCMagazine.com

Pescatore said Apple does not provide patching tools and processes like Microsoft does, so if vulnerabilities began running rampant, it could pose a problem for businesses.

"They’re not too helpful helping enterprises patch," he said.

An Apple spokesman did not return a telephone call seeking comment.

Alan Shimel, chief strategy officer of StillSecure, contended today on his blog that the decision to make Safari available for Windows users was less about competition with Microsoft and more about the soon-to-be-released iPhone.

"Apple is not going to let people develop [third]-party apps for the phone," Shimel said. "However, the phone will run Safari. So if you develop Safari-specific web applications, you can get them on the iPhone, assuming they lend themselves to a mobile platform."

The news Monday was reminiscent of Apple's launch of the iTunes application compatible with Windows machines.

The public data of Safari 3 is available free here.

 

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.