More Safari bugs found after Windows release

By

Bug hunters have claimed numerous flaws in Apple's Safari web browser just hours after its release for Windows.

More Safari bugs found after Windows release
Less than a full day after Safari version 3 beta was released for Windows and Mac, researcher Thor Larholm revealed a "fully functional command execution vulnerability, triggered without user interaction simply by visiting a website."

Larholm released proof-of-concept code for the flaw on his website today.

"Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted toward this new Windows browser," Larholm said on his website today.

David Maynor, founder and CTO of Errata Security, said on Monday on the company’s blog that researchers found a number of bugs in the beta that also work for the OS X version.

"I’d like to note that we found a total of six bugs in an afternoon, four DoS and two remote code execution bugs. We have weaponised one of those to be reliable and it’s different than what [Larholm] has found.

I can’t speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy of OS X as well (same code base for a lot of stuff)," he said. "The exploit is robust, mostly thanks to the lack of any kind of advanced security features in OS X."

Tim Erlin, vulnerability and exposure manager at nCircle, told SCMagazine.com that vendors who stress security face additional scrutiny from hackers, even if their products are in beta.

"This is interesting because you have to wonder whether it was intentional on Apple’s part. If you release a beta, you expect [vulnerabilities] to be found, and that way you get them taken care of before the actual release," he said.

"I think that [a hackers'] target tends to move to whoever has most recently made declarations of secure development. That was the case when Microsoft announced major security enhancements in Vista."

An Apple representative could not be reached for comment.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
afterbugsfindhoursjustreleaseresearcherssafarisecuritywindows

Sponsored Whitepapers

Leverage Technologies: Industry-Tailored ERP Implementation for Growth and Compliance
Leverage Technologies: Industry-Tailored ERP Implementation for Growth and Compliance
Service Over Signatures: The Truth About No Lock-In IT
Service Over Signatures: The Truth About No Lock-In IT
Wasabi Reveals Hidden Costs and Cloud Storage Shifts in ANZ for 2025
Wasabi Reveals Hidden Costs and Cloud Storage Shifts in ANZ for 2025
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Protect APIs. Protect Your Business.
Protect APIs. Protect Your Business.

Events

Most Read Articles

CBA using facial recognition logins to verify disputed payments

CBA using facial recognition logins to verify disputed payments
Qantas contacted by "potential cyber criminal"

Qantas contacted by "potential cyber criminal"
SA Power Networks tackles IAM, cloud security under five-year strategy

SA Power Networks tackles IAM, cloud security under five-year strategy
Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?