Must Read: No niche for iPad: Why I returned mine

Topic: Security

Safari on Windows could be big target for malware

Summary: The news that Apple's Safari browser is coming to Windows has caused raised eyebrows in the security research community and there's already word that a memory corruption vulnerability has been discovered.

Ryan Naraine

By for Zero Day |

The news that Apple's Safari browser is coming to Windows (see Techmeme discussion) has raised eyebrows in the security research community and there's already word that a memory corruption vulnerability has been discovered.

Apple SafariApple is no doubt looking to take a bite out of that search-box advertising market that's been so lucrative for Mozilla but if Safari on Windows is half as popular as iTunes, you can bet malware authors will be licking their lips.

Safari has not held up well to hacker scrutiny on the Mac platform. Tom Ferrris, a hacker who routinely finds Safari and Mac OS X vulnerabilities, once told me it's "trivial" to trigger a crash on Safari. The reality is that every crash is a potential security vulnerability.

Just hours after today's Apple announcement, Errata Security researcher David Maynor downloaded the beta code and found two potentially serious security issues.

Safari crash dump

"These are popping out like hotcakes," Maynor said in a blog entry with screenshots of the Safari crash. Maynor does not report his discoveries to Apple because of the public discloure spat that erupted at last year's Black Hat Briefings.

During HD Moore's month of browser bugs project, details on two Safari vulnerabilities were released. According to Tom Ferris, there are several unpatched Safari flaws outstanding.

Safari on Windows puts the buggy browser before a bigger audience. You can bet your bottom dollar malware authors are paying close attention.

[UPDATE: June 11, 2007 @ 7:43 PM] Aviv Raff gets in on the fuzzing action and finds (another?) potentially exploitable memory corruption issue.

Topics: Security, Browser, Malware, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

51 comments
Log in or register to join the discussion

  • Haha, did I call this or what?

    Everything that Apple writes turns out to have cracks in it bigger than the Grand Canyon. Why would we torment ourselves with Safari bugs after we've lived through all the nightmares associated with Quicktime? Thanks but no thanks Apple, please keep your malware off Windows and Linux. Over the years, we've been accustomed to far better software than you can provide for us. Can you say Firefox? I knew you could.
    NonZealot
    Reply Vote

    • This comes from a man/women

      who despises everything Linux and/or Firefox . C'mon Zealot , let's be truthful for a change , who are you trying to fool ? You on many occasions , have stated that Firefox was bloated and buggy and now you say you use it . You also stated that Linux was a scourge , and now you use it . I'm betting on you using iTunes , iPods and everything you say you hate . C'mon out the closet now , I know you are just a child who has been hurt far to many times .
      Intellihence
      Reply Vote

      • Haha, find 1 link

        [i]You on many occasions , have stated that Firefox was bloated and buggy and now you say you use it . You also stated that Linux was a scourge , and now you use it[/i]

        Find even one link where I say this! OUCH!
        NonZealot
        Reply Vote

        • Where is your butt buddy Ye at ?

          Zealot you know dang well like I do you hate everything that isn't Microsoft . Now you claim to like Linux just because Novell and Microsoft are in bed . You sir are the biggest bold faced liar on these talk backs .
          Intellihence
          Reply Vote

    • For a last note moron , this is just a beta . <NT>

      <NT>
      Intellihence
      Reply Vote

    • Compared to IE, MS Office, Outlook, and Windows itself, the risks are

      extremely minor.
      DonnieBoy
      Reply Vote

      • Given that you are right

        (which isn't a given but regardless), I have to ask: so what? No matter how dangerous my current computing environment may be, why would you suggest that I make it even worse by installing Safari? Commenting on how bad Windows software is in no way changes the fact that everything Apple writes is also extremely bad.
        NonZealot
        Reply Vote

        • Right, you can NOT uninstall IE. That is a real shame, because, as you

          point out, even though the other products are safer and better, you are as a whole, not as save because you now have two products installed. To add insult to injury, you also have to patch and update both applications.
          DonnieBoy
          Reply Vote

    • i have to agree NonZealot I'll stick with firefox apple software

      i have to agree NonZealot I'll stick with firefox apple software sucks.

      if they arnt writing the code for there firmware and there OS it just does not work.

      and it just go's go show as soon as apple reaches enough of a market share to be worth there time male-ware writers will be busy little bees.

      and the mac users will be defenseless why because they believe every word that comes out of Jobs mouth. and he says they are safe.

      they still think as soon as there a security bug apple is right on it and writes a patch the next day and puts it out.

      when in realty they wait until they have 10 11 12 or 13 and up before they release them.
      SO.CAL Guy
      Reply Vote

    • its David Maynor...

      he has faked Apple vulnerablilities in the past, why belive this one?
      doh123
      Reply Vote

      • No he hasn't

        Just because Apple wouldn't admit to the hack while coincidentally putting out a patch for it doesn't make Maynor a liar. It makes Apple a liar. Apple liked [b]big time[/b] about the WiFi flaw. It was disgusting.
        NonZealot
        Reply Vote

        • Sure he has , he is a liar .

          Prove yourself and provide a link Zealot .
          Intellihence
          Reply Vote

  • Safari IS Malware

    Check out engadget or slashdot for numerous reports on this buggy, crash prone software. It reminds me of iTunes for windows when it first came out- it was horrible. Now it's just mediocre.
    crescentdave
    Reply Vote

    • Yes, so, Windows is malware, Outlook is malware, MS Office is malware,

      What is your point????
      DonnieBoy
      Reply Vote

      • Yes, so, Windows is malware, Outlook is malware, MS Office is malware

        DonnieBoy just becuae you don't know how to use a computer is no reason to call everything malware.
        SO.CAL Guy
        Reply Vote

        • Maybe you haven't figured it out, but 99.9% of the viruses in the wild are

          for Microsoft products.
          DonnieBoy
          Reply Vote

    • So if iTunes is mediocre on Windows go and buy yourself a Mac .

      That way iTunes won't be so mediocre anymore . What you have stated about iTunes on windows is true , then again Windows doesn't have all the proper resources to run iTunes completely . I look at iTunes on Windows and then Mac and I say , dang there sure is alot missing on the Windows side .
      Intellihence
      Reply Vote

    • is malware only on windoze!

      If written on a robust OS like Linux, than there will be far fewer vulnerabilities.
      Linux Geek
      Reply Vote

  • Will Windows users even care?

    I'm confused, how is an optional software package that just announced its
    deployment on a new platform a bad-boys chops-licker? I don't really see it
    making much headway in terms of install base. There are already non-Microsoft
    alternatives to IE and Safari's alleged technical superiority isn't a real category-
    killer feature.

    The problems being found today with Safari are far more a threat to Mac users like
    me than potential Safari users on Windows. Here's to hoping that someone less
    petulant than Mr. Maynor is researching these issues.
    DannyO_0x98
    Reply Vote

  • Safari dies upon startup...

    Lots of folks are experiencing an instant crash of Safari on Win XP boxes. It -appears- to be trying to execute an SSE instruction
    in CFNetwork.dll. Some Pentiums and AMD chips don't have SSE.
    So, despite the "requirements" being satisfied, Apple didn't
    really generate a cleanly (or "intelligently")-coded package.
    (yes, it's a beta, but...)

    Apple discussion group thread on the issue:
    <http://discussions.apple.com/thread.jspa?threadID=992829&tstart=45>
    astro_z
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close