TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... The DVLabs research team discovered 10 unique Adobe Shockwave vulnerabilities during October and November of 2010.

pun topic='safari on windows' level='clever'

Apple released a public beta of its Safari browser for Microsoft Windows a couple of days ago. Despite the unspeakable joy of being able to use my favorite web browser on my least-favorite operating system, there was still a bit of apprehension. Several attacks, including at least one public remote command execution vulnerability, were discovered on the very first day of release. While most of the "attacks" are simple denials of service, the remote command execution vulnerability is a horse of a different color: it works, and it's trivial to exploit. Visit a web page in Safari and you get arbitrary commands executed.

(The proof of concept requires that Firefox be installed, but, really, what Windows user is going to install Safari but not already have Firefox installed?)

The details of the various vulnerabilities are widely available; I'm not going to talk about the technical details here. Instead, I'm going to wax philosophical on the implications of Apple's move (ask anyone at the office...I tend to wax philosophical on a fairly regular basis. It's getting me to wax quiet that's the issue).

Apple has released a very complicated piece of software that has the potential to interact with a large variety of poorly written or actively malicious web sites, and they've released it for Windows. Now, attackers are freed from having to buy expensive Mac hardware to stress test Safari - any cheap Wintel box can be used. They've opened up the number of attackers able to get to their software by tenfold.

The bigger problem, though, is that everyone wants a bite out of Apple (ouch, I'm sorry. That was a bad pun, even for me). The perceived smugness of the Apple community has irked many an attacker for years - the breathless claims that Mac OS X is inherently more secure than Microsoft Windows was often seen as a challenge. The act of releasing Safari for Windows was seen by some as an act of pure hubris, and hubris must be punished (either by having one's liver continually devoured by an eagle, or by finding stack overflows in HTML rendering engines. The principle's the same). Surely, any attacker who finds a hole in Safari on Windows will gain fame and fortune, at least until someone else discovers a bug.

Of course, the release of Safari for Windows isn't motivated by pure hubris - Apple is simply making sure the developer pool for the iPhone is as large as possible, and maybe try to get the Apple brand out there a bit more. They do need to be careful, though - if a Windows user who was thinking about the proverbial "switch" sees that Apple software can be just as buggy as the Windows software they're used to, that's one lost sale for Apple.

The saving grace, of course, is that Apple has been quite clear in pointing out that this is beta software. Google's interminable beta-but-everyone-uses-it-in-production-anyway stance notwithstanding, I think people still understand that beta software is going to have bugs and holes. The real trick, the real way Apple could shine here, is to have all of the holes patched in the final release, and have no bugs discovered for a while after. Then they can advertise how secure they are, even on Windows.

Of course, humans being what they are, and programmers being human, there are going to be bugs. This might be the small tremble that marks the beginning of the end of Apple's (real or perceived) security superiority.

Tags: apple,macosx,safari
Published On: 2007-06-13 13:27:17

Comments post a comment

No comments.
Trackback