Two vulnerabilities found in Safari browser for Windows | SC Media

Two vulnerabilities found in Safari browser for Windows

March 31, 2008
Apple's recently released Safari 3.1 browser for Windows not only contains two "highly critical" software vulnerabilities, but it has come under fire for its poor functionality. Apple also received criticism for the manner in which it released the browser last week.

One of the software vulnerabilities allows an attacker to run code remotely on a Windows PC. With this flaw, files with long names downloaded via Safari 3.1 "can be exploited to cause memory corruption," leaving the PC vulnerable to the execution of arbitrary code, Secunia said in a security advisory available here.

The second bug could allow attackers to display their own content in pages loaded into Safari 3.1 without changing the URL information shown in the browser's address bar.

These are just the most recent knocks against Safari 3.1.

On the one hand, numerous users have complained on Apple's online support forum that the browser has created numerous problems.

One user, "jerrydj," complained, "I downloaded Safari 3.1, I installed it, Windows (Vista)/the program says it is done but it is nowhere on my PC. Anybody else had this too?"

Another complained there are "a lot reasons to dislike Safari," including its lack of ad-blocking capabilities, "its very slow scrolling," and its limited range of configuration options.

A number of Apple forum members also posted positive comments about the Windows version of Safari. One, for instance, noted that it offered "faster page loading (than Firefox and Internet Explorer) [and] GREAT text rendering (MUCH better than Firefox and Internet Explorer). This is actually why I love this browser."

In addition to these vulnerabilities, Apple has come under fire from John Lilly, chief executive officer of the Mozilla Foundation, which develops Safari competitor Firefox, for how it delivered Safari 3.2 for Windows. Apple sent out the browser last week in a "stealth" update for users of its iTunes and QuickTime software.

Lilly, on his personal blog, said he disagreed with the practice.

"Apple has made it incredibly easy -- the default, even -- for users to install ride-along software that they didn't ask for, and maybe didn't want," Lilly wrote in the blog post. "This is wrong, and borders on malware distribution practices."

The latest Safari flaws were uncovered by security vendor Secunia.

Apple did not respond to SCMagazineUS.com's request for comment on either the vulnerabilities or Lilly's comments.
prestitial ad