Researchers: Safari for Windows Very Buggy

The biggest news Apple Inc. made yesterday at the opening of its Worldwide Developers Conference was its announcement that it had ported its Safari Web browser to Windows. CEO Steve Jobs called the beta of Safari 3 "the most innovative browser in the world, and the fastest browser on Windows." He could have added "the most insecure browser on Windows" to that list of superlatives.

In what must be a delicious irony for Microsoft, security researchers found a host of bugs in the Safari beta within hours of downloading the bits. Apple touts the security of its products, and disparages the alleged insecurity of Microsoft products, every chance it gets.

David Maynor, a researcher for Errata Security, stated on the company's blog yesterday that he had already discovered six bugs in the beta product, including four denial-of-service bugs and two remote execution vulnerabilities. "Not bad for an afternoon of idle fuzzing," Maynor wrote. Errata is a security consulting and product testing company.

Maynor said the bugs he found are also present in the latest, shipping version of Safari, which is version 2.0.4. Maynor also said that well-known security researcher Thor Larholm, who's discovered many vulnerabilities in Microsoft's own Internet Explorer browser, has also found bugs in the Safari for Windows beta. Larholm's Web site was unavailable as this story was being written, but he did chime in on the Errata blog on how lax he believes Apple was in the testing phase.

"Seeing as this is fuzzing it should be relatively simple for others to discover on their own, which makes you wonder why Apple never bothered to do so," Larholm wrote.

Researcher Aviv Raff also weighed in. Soon after downloading the Safari beta, he ran a program he developed, called Hamachi, that looks for browser vulnerabilities.

"So, I've decided to take it for a test drive, and ran Hamachi," he wrote. "I wasn't surprised to get a nice crash [a] few minutes later."

Raff also noted how, in its marketing materials, Apple said its engineers designed Safari to be safe "from day one." Raff wrote, "Again, this is just a beta version. But, don't you hate those pathetic claims?"

Jobs mentioned that Safari currently has less than five percent of the browser market, which is still dominated by IE (about 78 percent) and Mozilla's Firefox, with about 14.5 percent. Jobs said that Safari's market share was unlikely to grow much unless Apple made it available to the Windows world.

About the Author

Keith Ward is editor of Virtualization Review magazine. You can contact Keith at [email protected].