Safari on Windows could be big target for malware

Summary:The news that Apple's Safari browser is coming to Windows has caused raised eyebrows in the security research community and there's already word that a memory corruption vulnerability has been discovered.

The news that Apple's Safari browser is coming to Windows (see Techmeme discussion) has raised eyebrows in the security research community and there's already word that a memory corruption vulnerability has been discovered.

Apple Safari
Apple is no doubt looking to take a bite out of that search-box advertising market that's been so lucrative for Mozilla but if Safari on Windows is half as popular as iTunes, you can bet malware authors will be licking their lips.

Safari has not held up well to hacker scrutiny on the Mac platform. Tom Ferrris, a hacker who routinely finds Safari and Mac OS X vulnerabilities, once told me it's "trivial" to trigger a crash on Safari. The reality is that every crash is a potential security vulnerability.

Just hours after today's Apple announcement, Errata Security researcher David Maynor downloaded the beta code and found two potentially serious security issues.

Safari crash dump

"These are popping out like hotcakes," Maynor said in a blog entry with screenshots of the Safari crash. Maynor does not report his discoveries to Apple because of the public discloure spat that erupted at last year's Black Hat Briefings.

During HD Moore's month of browser bugs project, details on two Safari vulnerabilities were released. According to Tom Ferris, there are several unpatched Safari flaws outstanding.

Safari on Windows puts the buggy browser before a bigger audience. You can bet your bottom dollar malware authors are paying close attention.

[UPDATE: June 11, 2007 @ 7:43 PM] Aviv Raff gets in on the fuzzing action and finds (another?) potentially exploitable memory corruption issue.

Topics: Security, Browser, Malware, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.