Last week, users were prompted to download an iTunes security update that also included an update to the latest version of Safari for Windows, even if users did not have the browser already deployed on their machine.
Mozilla’s John Lilly wrote on his personal blog that he disapproved of using this practice because it is misleading to users and erodes their trust in software vendors.
“The problem here is that it lists Safari for getting an update – and has the “Install” box checked by default – even if you haven’t ever installed Safari on your PC,” he said. “That’s a problem because…by and large, all software makers are trying to get users to trust us on updates, and so likely behavior here is for users to just click [to install]. It’s wrong because it undermines the trust we’re all trying to build with users,” he continued. “Because it means that an update isn’t just an update, but is maybe something more.”
An Apple spokeswoman did not return a phone call seeking comment.
Rich Mogull, founder of consultancy Securosis, told SCMagazineUS.com today that Apple’s attempt at creating more market share for Safari could be viewed as deceptive.
“Literally, that is the definition of spyware in many cases,” he said. “It’s surreptitiously installed software you don’t want on your machine.”
Apple is setting a poor precedent, he said.
“We’re starting a bad habit if we continue to intermingle security with [software] functionality updates,” he said. “Let’s be honest. A lot of vendors do this, but when you’re the size and scope of Apple and when millions and millions of users have iTunes and the next thing you’re giving them is a browser they didn’t ask for – that’s pretty serious.
Statistics show that Safari has between a three- to six-percent share of browser usage, while Mozilla Firefox retains a roughly 15 percent share. Internet Explorer dominates the market with a roughly 75 percent share.
Meanwhile, a security researcher on Monday reported two dangerous vulnerabilities in the Safari for Windows web browser.
Version 3.1 of the browser is susceptible to two vulnerabilities – rated “highly critical” by bug tracking vendor Secunia – that could be leveraged to launch URL spoofing attacks or cause system compromise.
Researcher Juan Pablo Lopez Yacubian discovered the flaws. One of the bugs relates to an error when downloading ZIP files containing too long of a filename. This can lead to memory corruption and permit an attacker to execute arbitrary code.
The other hole involves the handling of windows, which can be exploited to show a bogus URL in the address bar for a legitimate website.
As users await a fix, they are advised not to browse untrusted websites.