Security Testers Spot Bugs Galore on Windows Safari

"I'd like to note that we found a total of six bugs in an afternoon, four DoS (denial of service) and two remote code execution bugs," wrote David Maynor on his Errata Security blog. "We have weaponized one of those to be reliable." Errata Security is a consulting and product testing company, and the "weapon" comment doesn't refer to any intent to use the code for nefarious purposes.

Railed by Readers

Thor Larholm, who blogs on Larholm.com, created a zero-day exploit in two hours and posted it online. "Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser," he wrote.

Another security expert, Aviv Raff, ran Hamachi, a program that tests browser integrity. "I wasn't surprised to get a nice crash [a] few minutes later," he wrote on his Aviv Raff On .NET blog.

Many readers of all three of the experts' blog sites posted comments nailing Apple with sarcasm and disdain.

Symantec (Nasdaq: SYMC) , a provider of security tools, posted warnings for three of the most critical vulnerabilities for Safari on Windows on its Symantec Security Response Weblog. "This Safari release is officially a beta release. Even if these vulnerabilities didn't exist, we wouldn't recommend using beta software in a production environment," Symantec noted. "Hopefully many of these bugs will be scrubbed before the official release."

Apple's Challenge

"The browser market on the Windows side is an advanced and skeptical market," Mike Romo, product manager of Symantec's Macintosh Group, told MacNewsWorld. "The ultimate browser on Windows is Firefox. It's going to be interesting to watch them point out the value proposition of Safari in a very crowded browser market."

Symantec, noted Romo, is particularly concerned about users that might rely on beta software, and Safari for Windows is a case in point. "We think it's something everyone should be know about," he said.

"Apple is going to have to examine security on the Windows side very specifically and succinctly if they are going to succeed. ... The thing with Apple, since they do play their cards close to their chest -- they should have given developers a little notice, at least on the Windows side, so we could have knocked it about a bit and worked on integrating the Safari browser into our product schedule," Romo said.

Emotional Touchstone

Aside from entering an entrenched market against Internet Explorer and Firefox, Apple faces another challenge.

"A browser is a touchstone. Next to e-mail , a browser is the most emotional point that a user has in their computer experience. As far as a user's daily interaction, the emotional interaction, of having a finger on the pulse of what's going on in the world, there's nothing more intimate than the browser, so it cannot be stated enough how important security is on the browser, because everybody is using it, and when everybody is using it, everybody is a target," Romo explained.

"I think it's up to all software developers to work hard to prevent vulnerabilities," he added.

What's Next?

Whether or not Apple pushed Safari for Windows out the door too quickly, even though it's a beta product, what's next for the browser's launch? Obviously, Safari is important for Apple's iPhone efforts because Safari for Windows will make it easier for developers to create cross-platform applications that run in a browser, built against Safari features, for use on the iPhone. Also, because the iPhone is critical to Apple right now, the company will very likely roll out fixes faster than usual.

"I think Apple takes security very seriously, and they have a good track record of making fixes with their security updates," Romo said. "I think it's encouraging that Apple is entering this market because it allows them to experience a different landscape, one where security is such a top-line issue."