14 DAY TRIAL // Security company Symantec has confirmed all eight vulnerabilities impacting Apple's Safari on Windows. Starting on June 11, 2007, Apple made Safari available for Windows XP and Windows Vista. Currently, the product is a public beta release, and Apple informed that the browser will be delivered as a free download for Vista, XP and Tiger simultaneously with the launch of Mac OS X 1.05 Leopard in October.
On the official Apple website for Safari, the Cupertino-based company revealed a total of 12 reasons why users would love Safari. At the bottom of the pile, the 12th reason is of course the "traditional" Apple security. Apple promises nothing short of "worry-free web browsing on any computer" because "Apple engineers designed Safari to be secure from day one." The following paragraphs, applauding the browser's high security level, have been taken from the Safari web page.
"For starters, Safari uses robust encryption to ensure that your private information stays that way. When you browse a secure site, Safari displays a lock icon in the upper-right corner of the browser. If you want to know more about the credentials of a secure site, click the lock icon and Safari displays detailed information about the site's security certificate.
Safari supports SSL versions 2 and 3, as well as Transport Layer Security (TLS), the next generation of Internet security. Safari uses these technologies to provide a secure, encrypted channel that protects all your information from online eavesdroppers. And Safari lets you use standards-based authentication such as Kerberos single sign-on and X.509 personal certificates, or proprietary protocols like NTLMv2 to log in to secure sites.
Safari also supports a variety of proxy protocols - services that help firewalls control what flows in and out of the network - including Automatic Proxy configuration, FTP Proxy, Web Proxy (HTTP), Secure Web Proxy (HTTPS), Streaming Proxy (RTSP), SOCKS Proxy, and Gopher Proxy."
Despite Apple's arrogant assumptions for Safari's security as the browser - thrown out of the Mac OS X Garden of Eden - made its first conquering steps on the Windows territory, Eric Chien, Symantec Security Response Engineer warned of the fact that the Apple browser was going to become yet another vector of attack on Microsoft's platform. Chien predicted that exploits and vulnerabilities will follow Safari to Windows.
Now, the main difference between Apple and Symantec is that only one of the two companies actually deals with security, while the other only manages the perception of customer protection via marketing. I'll let you put two and two together. David Maynor, Thor Larholm and Aviv Raff are three security researchers which managed to prove Apple wrong. Apple's secure from day one Safari was hit with eight vulnerabilities in just the first day. Symantec confirmed all of them.
"Details on the first one have already been released publicly and the other two have been reportedly disclosed to Apple. We have not seen these being used maliciously in the wild, but then again, they were just released hours ago. We definitely expect in-the-wild usage to follow in the future, as well as the discovery of more vulnerabilities. This Safari release is officially a beta release. Even if these vulnerabilities didn't exist, we wouldn't recommend using beta software in a production environment. Hopefully many of these bugs will be scrubbed before the official release," Chien stated.
Here is additional information about the flaws affecting Safari on Windows:
- Apple Safari for Windows Protocol Handler Command Injection Vulnerability (BID 24434) - Apple Safari for Windows Unspecified Denial of Service Vulnerability (BID 24431) - Apple Safari for Windows Unspecified Remote Code Execution and Denial of Service Vulnerabilities (BID 24433)