Flawed Safari browser endangers Windows users

Two security flaws have been found in the recently released Windows version of Apple's Safari browser — but despite Apple's ambitions to boost the user-base for Safari, its small size will help protect users, say security experts.

An address-bar spoofing flaw was discovered by Argentinian researcher Juan Pablo Lopez Yacubian, who reported it to the Danish security company Secunia on Monday. He also reported a second vulnerability involving memory corruption, although Secunia has not yet established whether or not this flaw is exploitable. Even so, Secunia has classified the vulnerabilities as "highly critical".

"The one vulnerability is a classic spoofing vulnerability which will allow the attacker to make the Safari user believe he is on a different site than he actually is, which makes it easier to steal information from that user," Secunia's chief technology officer, Thomas Kristensen, told ZDNet.com.au's UK sister site ZDNet.co.uk on Wednesday.

"As for the other one... we are still investigating that one," Kristensen added. "It is a memory-corruption vulnerability and we haven't proven yet that it can be exploited but, if it can, then it would be possible for a malicious site to execute keyloggers or other malicious code."

Kristensen said that Apple's controversial tactic of pushing out Safari for Windows as an opt-out "update" to existing iTunes users would be "getting [the browser] more users", but stressed that he "[did] not think the user base for Safari on Windows is big enough for anyone to want to exploit this right now".

"None of those [vulnerabilities] can be exploited if you don't actively use Safari to visit a malicious website," Kristensen said, while confirming that the security flaws have not yet been patched by Apple.

Apple had not responded to a request for comment at the time of writing.