Two vulnerabilities found in Safari browser for Windows

One of the software vulnerabilities allows an attacker to run code remotely on a Windows PC. With this flaw, files with long names downloaded via Safari 3.1 "can be exploited to cause memory corruption," leaving the PC vulnerable to the execution of arbitrary code, Secunia said in a security advisory available here.

The second bug could allow attackers to display their own content in pages loaded into Safari 3.1 without changing the URL information shown in the browser's address bar.

These are just the most recent knocks against Safari 3.1.

On the one hand, numerous users have complained on Apple's online support forum that the browser has created numerous problems.

One user, "jerrydj," complained, "I downloaded Safari 3.1, I installed it, Windows (Vista)/the program says it is done but it is nowhere on my pc. Anybody else had this too?"

Another complained there are "a lot reasons to dislike Safari," including its lack of ad-blocking capabilities, "its very slow scrolling," and its limited range of configuration options.

In all fairness, a number of Apple forum members also posted positive comments about the Windows version of Safari. One, for instance, noted that it offered "faster page loading (than Firefox and Internet Explorer) [and] GREAT text rendering (MUCH better than Firefox and Internet Explorer). This is actually why I love this browser."

In addition to these vulnerabilities, Apple has come under fire from John Lilly, the CEO of the Mozilla Foundation, which develops Safari competitor Firefox, for how it delivered Safari 3.2 for Windows. Apple sent out the browser last week in a "stealth" update for users of its iTunes and QuickTime software.

Lilly called that practice "wrong" in a blog posting available here [http://john.jubjubs.net/2008/03/21/apple-software-update/].

"Apple has made it incredibly easy -- the default, even -- for users to install ride-along software that they didn't ask for, and maybe didn't want," Lilly wrote in the blog post. "This is wrong, and borders on malware distribution practices.

"It's wrong because it undermines the trust that we're all trying to build with users," he added. "Because it means that an update isn't just an update, but is maybe something more. Because it ultimately undermines the safety of users on the web by eroding that relationship. It's a bad practice and should stop."

Both of the flaws were uncovered by security vendor Secunia.

Apple did not respond to SCMagazineUS.com's request for comment on either the vulnerabilities or Lilly's comments.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition

browserforfoundinsafarisecuritytwovulnerabilitieswindows