Flawed Safari browser endangers Windows users

Flawed Safari browser endangers Windows users

Summary: Two security flaws have been found in the recently released Windows version of Apple's Safari browser — despite Apple's attempts to increase the user-base for Safari, its small size will help protect users, say security experts.

SHARE:

Two security flaws have been found in the recently released Windows version of Apple's Safari browser — but despite Apple's ambitions to boost the user-base for Safari, its small size will help protect users, say security experts.

An address-bar spoofing flaw was discovered by Argentinian researcher Juan Pablo Lopez Yacubian, who reported it to the Danish security company Secunia on Monday. He also reported a second vulnerability involving memory corruption, although Secunia has not yet established whether or not this flaw is exploitable. Even so, Secunia has classified the vulnerabilities as "highly critical".

"The one vulnerability is a classic spoofing vulnerability which will allow the attacker to make the Safari user believe he is on a different site than he actually is, which makes it easier to steal information from that user," Secunia's chief technology officer, Thomas Kristensen, told ZDNet.com.au's UK sister site ZDNet.co.uk on Wednesday.

"As for the other one... we are still investigating that one," Kristensen added. "It is a memory-corruption vulnerability and we haven't proven yet that it can be exploited but, if it can, then it would be possible for a malicious site to execute keyloggers or other malicious code."

Kristensen said that Apple's controversial tactic of pushing out Safari for Windows as an opt-out "update" to existing iTunes users would be "getting [the browser] more users", but stressed that he "[did] not think the user base for Safari on Windows is big enough for anyone to want to exploit this right now".

"None of those [vulnerabilities] can be exploited if you don't actively use Safari to visit a malicious website," Kristensen said, while confirming that the security flaws have not yet been patched by Apple.

Apple had not responded to a request for comment at the time of writing.

Topics: Apple, Broadband, Browser, Security

David Meyer

About David Meyer

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't pay the bills. David's main focus is on communications, as well as internet technologies, regulation and mobile devices.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion