'Highly critical' flaws found in Safari for Windows

Two security flaws have been found in the Windows version of Apple's Safari browser, which was released just over a week ago.

An address-bar spoofing flaw was discovered by Argentinian researcher Juan Pablo Lopez Yacubian, who reported it to the Danish security company Secunia on Monday. He also reported a second vulnerability involving memory corruption, although Secunia has not yet established whether or not this flaw is exploitable. Even so, Secunia has classified the vulnerabilities as "highly critical".

"The one vulnerability is a classic spoofing vulnerability which will allow the attacker to make the Safari user believe he is on a different site than he actually is, which makes it easier to steal information from that user," Secunia's chief technology officer, Thomas Kristensen, told ZDNet.co.uk on Wednesday.

"As for the other one… we are still investigating that one," Kristensen added. "It is a memory-corruption vulnerability and we haven't proven yet that it can be exploited but, if it can, then it would be possible for a malicious site to execute keyloggers or other malicious code."

Kristensen said that Apple's tactic of pushing out Safari for Windows as an opt-out "update" to existing iTunes users would be "getting [the browser] more users", but stressed that he "[did] not think the user base for Safari on Windows is big enough for anyone to want to exploit this right now".

"None of those [vulnerabilities] can be exploited if you don't actively use Safari to visit a malicious website," Kristensen said, while confirming that the security flaws have not yet been patched by Apple.

Apple had not responded to a request for comment at the time of writing.