Apple Safari On Windows Broken On First Day 595
An anonymous reader writes "David Maynor, infamous for the Apple Wi-Fi hack, has discovered bugs in the Windows version of Safari mere hours after it was released. He notes in the blog that his company does not report vulnerabilities to Apple. His claimed catch for 'an afternoon of idle futzing': 4 DoS bugs and 2 remote execution vulnerabilities." Separately, within 2 hours Thor Larholm found a URL protocol handler command injection vulnerability that allows remote command execution.
He notes in the blog that his company does not (Score:2, Insightful)
Thanks for the news about the vunerabilities, Paris Maynor.
Re:He notes in the blog that his company does not (Score:5, Insightful)
I can understand not sitting on a vulnerability -- there are some valid points both for and against full disclosure -- but not notifying the company at all? WTF.
This is the sort of stuff that just makes the whole IT security industry, and everyone involved in it, look dangerous and irresponsible.
telling Apple would be insane (Score:5, Funny)
*euros
*credit card numbers
*yuan
*underage virgins
*dollars
*shekels
*death to your enemies
*rubles
*pounds, British money
*pounds, crack cocaine
Just be sure to not rip off the buyer. Most of the buyers have nasty ways to kill you. Some of them have polonium. Some of them have penis pills.
Re: (Score:3, Insightful)
What did he achieve? He managed to make Apple look stupid with their crap about how secure they are. He wasn't even trying and find holes in their software.
Oh and I own two Macs before anyone calls me a fan boy of something else.
Re:He notes in the blog that his company does not (Score:5, Insightful)
UPDATE 5: I've been asked what our disclosure policy is. Its pretty simple, in most cases we will give vendors as long as they need to fix problems. If the vendor is unresponsive or make threats, we will give them 30 days then release details. If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pentesting. We do not sell the vulnerabilities to any 3rd party.
Seems the very likely scenario that they reported a critical vulnerablity and Apple tried to troubleshoot them "Is the network cable plugged in?" or "Our software is absolutely secure, your don't need to worry about it, our software has been throughoutly tested." or such. A security expert who gets flushed down the toilet by a marketoid is quite likely to hold a grudge against given company and report the following bugs elsewhere than said company.
Re: (Score:3, Interesting)
Ah yes, giving away FREE software and expecting people to use it for FREE. In turn for that FREE use, if someone finds a bug it's absolutely ludicrous to
Re:He notes in the blog that his company does not (Score:4, Insightful)
Re:He notes in the blog that his company does not (Score:4, Insightful)
("Capcom ExpenseBlaster 3 Turbo gets an 8/10 for the blazing next-generation way it lets me balance my checkbook!" "I'm sorry, but this one felt lacking to me. It was anemic in terms of features, especially compared to other contenders like Rockstar's 'Grand Theft Accounting,' and the money-laundering options. Only a 4/10.")
That doesn't stop people from proclaiming doom and gloom and trying to point out alternative software if non-game products slip, of course. Which means more than game developers get the market pressure to just 'get a 1.0 app out there, and patch it later,' albeit a bit less than game developers do. Which sucks, but... the cause of this one unfortunately lies with both the developers and consumers, I think.
Re:He notes in the blog that his company does not (Score:4, Insightful)
Apple is a commercial entity. As long as Apple is still making a profit nothing you get from Apple is free, it may not be the guy browsing but someone is footing the bill. You can certainly bet that Apple didn't just drop their bottom line by the cost of developing and distributing the software.
It reminds me of the last time I called Comcast. I ordered Showtime for the Showtime on demand movies and while the channels came in the video on demand gave an error code (very annoying since I never waste my time watching whatever they are force feeding at the moment and watch what I want when I want with the video on demand). It took them 3 months to fix it and they had the nerve to charge me for Showtime during that time. Naturally I demanded a credit and the girl tried to claim that I was paying for the channels only and the video on demand was a free service they gave me out of the kindness of their hearts so there was nothing to credit. I told her that was wonderful, take away all that expensive programming I pay all that money for and just leave me the free stuff. She told me that it only comes free with the paid programming. I told her to make up her mind, either they are giving me the video on demand for free or they require me to pay them money in order to receive it.
Re: (Score:3, Insightful)
That's my point. You aren't getting anything free with a buy-one-get-one-free sale. The 'free' ones cost the store money, they are an expense, the store bases its prices on its expenses plus a markup. That 'free' one increased the price of other items in the store. In other wo
Re: (Score:2)
They released a beta version of a program with the usual disclaimers about how it's not finished, and should not be used in a production environment, and are not forcing anyone to use it. What's your problem?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Here is a video I made debunking their proof: http://video.google.com/videoplay?docid=146818771
My guess is that they got a buffer overflow but had not yet found the correct location in memory to write their shellcode. They still have not...
Re: (Score:3, Informative)
Yeah, the only problem is that he is the only security researcher on Earth who has ever even claimed to be told this by Apple, and he has provided no evidence whatsoever of this supposed threat. Somehow everyone else who notifies apple of vulnerabilities and even demonstrates them later has managed to not get sued or taken out by thugs in a back alley.
Basically he has posited a grand conspiracy with nothing but his own word that it exists. Nobody else
Re:He notes in the blog that his company does not (Score:4, Insightful)
for example, in Security Update 2007-5 [apple.com] and
So shut up and read up before making up claims about how Apple hates security researchers.
Re:He notes in the blog that his company does not (Score:5, Insightful)
How about we try it this way:
Maynor claims to be a professional security researcher. One of the cornerstones of professionalism in that field is responsible disclosure of discovered vulnerabilities. Another is full disclosure of vulnerability details after a vendor has had a reasonable amount of time to correct the vulnerability. Yet another is working to advance the overall state of computer security. But Maynor has a track record of irresponsible, partial-at-best disclosure: he claims discovery of vulnerabilities while proclaiming that he will not report them to the vendor, and strives to hide the details of his discoveries from open review by his peers in the security community (for example, witness the endless controversy over the alleged MacBook wifi hack, all of which could have been settled quickly and objectively by simple peer review of the exploit he claimed to have used). And none of this can, so far as I can see, be construed as advancing the state of computer security in any fashion.
In other words, there is no sense of the word "professionalism" for his field which seems to be reasonably applicable to Maynor. Before you go screaming "ad hominem" or "Apple Fanboi", take note of two things:
I await your reply.
Re:He notes in the blog that his company does not (Score:5, Insightful)
Re:shooting the messenger is now + 5 insightful? (Score:5, Insightful)
Re:shooting the messenger is now + 5 insightful? (Score:5, Insightful)
It is possible that the stack failure is in (KHTML/KJS)/WebKit - but as it's not been shown that these bugs apply to either Konqueror or Mac Safari, it's most unlikely that the stack failures are the result of the open portion of the code.
Anyway, as a news story, this is a null set; it's a public beta. It's there for the public to test it and report bugs. It's not a production browser.
I'd be curious, however, to see if these bugs are Windows-only (for example, Mac OS-X and KDE have a URL handling scheme built into the OS that wouldn't be available in Windows; it would need to be implemented as part of Win Safari), or if they apply equally to Windows and Mac.
Re:shooting the messenger is now + 5 insightful? (Score:5, Interesting)
The main thing is how the URL handling works, under Windows Safari passes the URL to the Windows URL handler, which just finds the application and then dumps the rest on the command line, which gives many remote execution issues. Under MacOS the MacOS URL handler finds the application, and then dispatches an OpenURL AppleEvent (I think, similar to that anyway) towards the application, which then has the responsibility of parsing and loading the URL.
I'm guessing that the engineers didn't look too hard at how the OS deals with URLs and just assumed it would be safe.
Re:shooting the messenger is now + 5 insightful? (Score:5, Interesting)
I, like a lot of other web developers out there, wanted Safari for the purpose of adapting web pages to Yet Another Popular Browser's bugs.
So, what did I find when I downloaded Safari? The ridiculously useful debug menu was gone!
Now, all the docs on how to enable it are for Safari on the Mac, understandbly. What to do?
Kill Safari
Open C:\documents and Settings\[You]\Application Data\Apple Computer\Safari\Preferences.plist
Add, in what appears to be the logical place: IncludeDebugMenu1
Load Safari. Now developer-useful things like the Javascript Console are available to you.
Re:shooting the messenger is now + 5 insightful? (Score:5, Informative)
Re: (Score:3, Funny)
Re:shooting the messenger is now + 5 insightful? (Score:4, Funny)
So when are you coming back for your second dose of moderation? Or do I get to steal them because I beat you to it? Informative surely *fingers crossed*
Re: (Score:3, Informative)
Re:shooting the messenger is now + 5 insightful? (Score:5, Insightful)
That is the responsibility they undertake, yes. They may or may not understand all the ins and outs, but it's their responsibility.
Based on the blog posting, they STILL don't know what's "in for them," since the vulnerabilities are still undisclosed. They remain in Maynor's to do list, for sale to the highest bidder for all we know.
If you're a linux or MS supporter, don't waste your breath defending this guy. He wasted a year of everybody's time on that Airport vulnerability that didn't exist.
Re:shooting the messenger is now + 5 insightful? (Score:5, Insightful)
Re: (Score:3, Funny)
Proverbial code corruption (Score:3, Informative)
Pride goeth before destruction, and an haughty spirit before a fall. Proverbs 16:18 [gutenberg.org]
Re:shooting the messenger is now + 5 insightful? (Score:5, Insightful)
And if you're installing a beta then yes, you really should be aware that you're in for some bugs. It's very unfortunate that Google has diluted the meaning of "beta" so much.
Also note that he's not really failing to report a bug to Apple, he's failing to report it to the webkit/khtml open source project. I doubt very much the bugs are in Apple's closed source GUI front end to webkit.
Re:shooting the messenger is now + 5 insightful? (Score:4, Insightful)
It's very unfortunate that the rest of the industry (especially MS) has diluted the meaning of "gone gold" so much. Gold is the new beta; beta is the new alpha.
Re:shooting the messenger is now + 5 insightful? (Score:4, Funny)
Re:shooting the messenger is now + 5 insightful? (Score:4, Insightful)
Re:shooting the messenger is now + 5 insightful? (Score:5, Insightful)
Let's say there's something built atop an open source library. Hey, there's plenty of them out there... let's pick OpenSSL as an example. It's open source and it's used in other projects, some of which are commercial or proprietary systems. Now assume that some company makes a proprietary, closed product built on that project as the core, but continue to contribute changes -- a heck of a lot of changes -- back to the original project as the develop. And then they release this as a beta.
Finally, let's say that someone finds a vulnerability in the proprietary project, a security issue with implications for the open source project. And instead of reporting the vulnerability to the proprietary folks (who would probably promptly generate a patch for both their tool and the underlying library, the person refuses to report the vulnerability to anyone and just says 'I found vulnerabilities, but I'm not telling you what they are.'
That's basically how WebKit/KHTML and Safari are tied together. Safari's just a UI atop an open source framework, WebKit, which Apple is the primary contributor to but which other people also contribute to, and which other projects (besides Safari and OS X) use. WebKit is used on Symbian OS, on Linux, and various other operating systems. And this guy is claiming to have found vulnerabilities which, given where they occur, seem to have implications for WebKit as well as Safari... and is refusing to give the details to either Apple, or to the WebKit development community.
You don't have to be an Apple 'fanboi' (or fangirl) to see that's not the way to handle security disclosures. If someone found several bugs in Firefox and said 'ZOMG I can crash Firefox or anything which uses the Gecko HTML engine. I can do it 100% of the time. But I'm not going to report the details to the Firefox team, so, nyah!' people would be up in arms about it.
Professional, good security researchers report things to the responsible parties, giving them the details necessary to fix it. Going, "Ha ha, I found a way to break your stuff but I'm not going to tell you how" is not only unprofessional, it's just downright immature.
Sure, lambaste Apple for releasing a beta/preview of something with bugs if you feel you must. But, please, don't bother trying to defend someone who basically makes a mockery of the entire security field.
Re:shooting the messenger is now + 5 insightful? (Score:4, Funny)
Re:shooting the messenger is now + 5 insightful? (Score:4, Insightful)
It's a friggin BETA!!!!!
it's supposed to have bugs in it.
besides it's not like IE where the bugs are in the shipping version and part of it's core design.
Re: (Score:3, Insightful)
releasing software with remotely exploitable bugs to the general public to the fanfare of the press (release of safari is in all major news) by a large company is surely a more irresponsible act than a bug report about the said software.
Yes. Every application release ever by a large company was irresponsible. And why limit it to large companies? No software should ever have been released because they all contain bugs which could be exploited by hackers!
What Maynor does is absurd. We all know software has bugs. The developers must be held accountable. But you can't do that unless you tell them what the hell the bug is, because they can't fix the bug until you tell them what it is!
Re: (Score:3, Funny)
Don't be such a nrrrd!
Re: (Score:3, Funny)
Did you just really use the word rapscallion in a real world sentence?
Awesome.
Re: (Score:3, Funny)
Re:He notes in the blog that his company does not (Score:4, Interesting)
Looking at changelists for bugfix releases of Mac OS X, Apple regularly fixes non-public vulnerabilities and credits the people who found them. They do downplay these issues, and some managers from Apple have publicly lied about vulnerabilities in the past, but they do fix them pretty quickly and give proper credit.
For all we know, Maynors own account of his issues with Apple bear little resemblance to what really happened.
Re:He notes in the blog that his company does not (Score:4, Insightful)
The issue seems be the notion that it is somhow "wrong" for Maynor to disclose the vulnerabilites without informing Apple and giving them time to fix it. Maynor claims that IN THE PAST Apple has been uncooperative WITH HIM. So based on his OWN PAST EXPERIENCE he chose to release the vulnerabities publically. He did nothing wrong.
Frankly, I'd be a little pissed off. Maynor is doing valuable free work for Apple and he's getting pissed on by the Apple community for it.
Re:He notes in the blog that his company does not (Score:5, Funny)
Ah, I see. So this is a religious thing. I wont bother arguing then.
Re: (Score:3, Interesting)
However, I'll agree that the attitude this researcher has is terrible. For starters how do we know he actually discovered all these vulnerabilities? I could claim I discovered some too and I won't disclose them. Secondly, why wouldn't he share the information with Apple, why bother discovering all these vulne
No, he was not. (Score:3, Informative)
Geez, if you really believe that whole Ou-invented idea that Apple somehow "orchestrated" a smear campaign against Maynor and got Dalrymple and Chartier to play along with them, you should stop reading zdnet and start reading a real news outlet. It's one of the most inane tech conspiracy theories I've ever heard.
Re: (Score:3, Insightful)
I wondered who'd be the first to call anyone who didn't scream 'Apple are teh sux0r' a fanboi - and look, right there in the second comment.
BTW, incorrectly using a latin phrase [slashdot.org] in an effort to look clever just makes you look like a pretentious twat.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
I wondered who'd be the first to launch an ad hominem attack - and look, right in the first comment.
Thanks for reaffirming my faith in Apple Fanboi nature.
Re:He notes in the blog that his company does not (Score:5, Insightful)
Did you read the disclosure policy?
Keeping with our disclosure policy, we do not report bugs to Apple.
It doesn't say
Keeping with our disclosure policy, we do not wait for a response to the bugs we report.
If it said that, your comment would make sense. That would be something like
Do you have a better explanation, or a justification for that approach?
Re:He notes in the blog that his company does not (Score:5, Insightful)
Do you have a better explanation, or a justification for that approach?
Why would someone announce that he's found a vulnerability but refuse to disclose it to the vendor? Some ideas:
a) He wants to hurt the reputation of the product/vendor. (This doesn't even require the existence of a real vulnerability.)
b) He wants to sell the specifics vulnerability, either to the vendor or to the highest bidder (in which case, this is advertising).
c) He doesn't care about the security side of things, he's just earning himself some free PR on sites like this which will publish his unsupported claims uncritically.
d) This is his idea of fun.
Anything I've missed?
Maybe that's because... (Score:5, Insightful)
Re: (Score:3, Interesting)
IMO... If you release it quietly, so only the diehards are really pounding it, you can keep the "it's a beta" excuse. If you hype the release, you lose the excuse
Re:Maybe that's because... (Score:4, Insightful)
Because 100,000k security researchers and hackers all typing away at keyboards will eventually write Shakespeare?
I don't care how bright your engineers are or how well you've planned your security model, the moment you put it on the 'net it WILL be hacked. That doesn't mean it will stay hacked, so much as the task of securing a system against simulated internal attacks will uncover different problems than putting it in the wild.
Re: (Score:3, Insightful)
Re:Maybe that's because... (Score:5, Insightful)
David Maynor has a track record as a publicity whore first and legitimate security researcher second, so whether Maynor has actually found as many bugs as he claims to have found here is up for debate until he provides some more substantial proof. He also has a giant ax to grind after Apple embarrassed him in the AirPort bug fiasco. I'd take anything he says with a grain of salt until he gives me ample reason to trust him again.
Nice policy, by the way: find bugs and don't ever report them to Apple. Because last time you claimed to have reported a bug, Apple exposed you as a liar, so now you just don't bother. That's brilliant. We need more people in the world with that kind of attitude. And Maynor wonders why people don't take him seriously as a "security researcher". The Blogspot-based announcement doesn't help either. That's like your company e-mail address being @hotmail.com.
Thor Larholm, on the other hand, may well have found a legitimate bug. What with this being beta software and all, that's not too incredibly surprising. Equally serious bugs have been found in release versions of Firefox and IE, so I'm not sure what the big deal is here. If Safari 3 ships with these vulnerabilities still unfixed, then people should worry.
p
Re:Maybe that's because... (Score:4, Funny)
Apple have plenty of lawyers already.
Re:Maybe that's because... (Score:4, Informative)
Besides, from the screenshot of the crash reporter, it's a null pointer dereference (not a heap overflow) - so sure, it's a remotely exploitable denial of service attack, but the browser crashes because the software has detected a problem and decides that the safest way out is to dump core. Let's all go tell the world how broken Safari 3 for MS Windows is!
For example: http://www.trendmicro.com/vinfo/secadvisories/def
Have fun.
Why bother when... (Score:3, Insightful)
Re: (Score:2)
Think about it - whileit's unquestionable that both Thor and David are very talented hackers, but they both indicated that they didn't even look very hard to find the problems they found.
Re: (Score:3, Interesting)
And similarly, the canonicalization failure handling iframes is not platform specific. Apple knew about the potential for exploitation of that particular vulnerability, they mitigated it for basic links, but didn't when the link was in an iframe. So again it's not platform specific.
nuf said.
Re:Maybe that's because... (Score:4, Insightful)
Re: (Score:3, Informative)
Given the complaints I've seen elsewhere, I think that the quality is closer to alpha stage development. Usually, "public beta" is done on software that's almost ready for use, but has minor bugs.
The standard everywhere I've worked has been:
Re: (Score:3, Insightful)
Re:Maybe that's because... (Score:5, Insightful)
It's quicktime that's the absolute mess -- It's gotten better since iTunes came along, but compared to the lightweight framework that it is on the mac, the windows version absolutely sucks. It's just an incredibly sluggish, and somewhat useless media player.
On OS X, Quicktime is essentially a fairly versatile media framework that, given the proper codec, can play just about anything. Virtually all mac applications that require the manipulation of media files utilize it. The file format also allows for some pretty darn cool nondestructive editing -- Final Cut Pro is more or less just a fancy utility for manipulating QuickTime files.
QuickTime player is simply a front-end application that makes use of the framework. Its Windows counterpart is a mere shadow of its former self.
On the other hand, VLC natively plays every format under the sun on every platform under the sun. Come to think of it, it's the only app I know of that works extremely well on all 3 major platforms (Firefox isn't so hot on the mac)
Many people blame the presence of a Windows version for preventing Apple from transitioning iTunes over to a Cocoa app. I can hardly blame them either -- Cocoa apps tend to be a bit more stable and 'snappy' (it's a really nice framework)
I wouldn't completely knock Safari without giving it a chance. Safari itself was based off of KHTML (and the Apple devs still contribute back regularly to the KDE/Konqueror folks). If they ported it once, porting it twice shouldn't be a terribly huge issue once the initial kinks are worked out.
Re:Maybe that's because... (Score:4, Insightful)
Based on the wording you used, when you said "Its Windows counterpart," I thought you were referring to Windows Media Player, which, as I understand it, is just a(n ugly) GUI over top of DirectX Media. Fortunately, there are alternate players, such as Media Player Classic [sourceforge.net] (an open source player that resembles Windows Media Player 6.4 with some extra features) and additional codecs, including one to play Quicktime [free-codecs.com] files.
I'd consider using it if it didn't completely ignore some of Windows' GUI conventions. I hate skinned apps, with a passion. I tolerate Opera and Firefox simply because they have skins that resemble my OS... thanks to a "feature" of Windows dealing with Window Handles [msdn.com], even Internet Explorer has to recreate all the Windows controls that it wants to use (except <select> up through IE6) rather than using OS native widgets.
Other than the obvious non-standard widgets, you have
Uhhh...its beta? (Score:2, Informative)
Wow (Score:5, Informative)
Who would've thought it!
Incidentally, it doesn't seem to like authenticating proxies at all, so my first experience with it was a bug too
However, making a big deal of, but not reporting bugs found in a beta release of something seems more than a little silly.
Bugs found in beta software, news at 11 (Score:5, Funny)
It is assumed Apple realized this devastating "beta" because they hate freedom and want the terrorists to win... and they've now won.
We will try to stay on top of this developing critical story.
My god have mercy on us all.
I've said it before and I'll say it again (Score:2, Insightful)
And alot of their success at security on Mac OS is just them inheriting some of their security from the BSD kernel which I'm positive beats the hell out of the Windows kernel in terms of security.
Installing Safari 3 public beta on G4? (Score:2)
I'm running 10.4.9, 1.25 GB RAM on a Powerbook G4, have 18 GB spare on my HD, yet the installer says:
"You cannot install Safari Beta 3 on this volume. This volume doesn't meet the requirements for this update."
Anyone else getting this error? Anyone know of a workaround? How can you tell why the installer is stopping?
Re: (Score:2, Informative)
Fuzzing, not futzing. Proofread much? (Score:3, Informative)
yes, safari is faster! (Score:5, Funny)
Alpha or Beta? (Score:5, Informative)
The installation was smooth without any unexpected bumps on the road. First when I loaded the program, I noticed that no menu fonts nor any fonts whatsoever on the web pages existed. To make it worse, the browser would crash every time I clicked on anything with interactivity, such as the stop button. I have read quite a few solutions to this problem but so far no success. I run Win XP SP2, btw.
Anyway, there are more problems around the corner. According to the Apple forum, people can't play Windows Media files, dual monitor support is very buggy, some buttons screw up the GUI when pressed down and dragged, loads of spontaneous lockups, random letters appearing everywhere, installation problems, parental control issues and more. [apple.com]
Also, I am not a big fan of customized GUI:s for crucial applications like a web browser. We should be able to use Windows ClearType instead of the ported OSX version (which sucks), and most importantly, we should be able to use the standard Windows themes. I don't get why Apple thinks the average Windows user would want a significantly altered browser that looks nothing like the rest of the operating system he or she is using. How would Mac users react if Internet Explorer was ported with the Windows theme?
I think it looks like a promising project, but I am worried because it's not in Apple's nature to release beta software with so many bugs and so little heart put into it.
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
Well not entirely - IE 5 had a fruit flavoured theme to go with iMacs of the day, and the UI was distinctly Mac like. But Mac users have certainly gone batshit crazy over past versions of Office.
Windows users tend to be more levelheaded and / or apathetic. Instead of protesting, they'll simply ignore Safari altogether. The Safari 3.0 UI in Vista is awful - totally nonstandard in every respect. It's bad enough to have an Aqua-esque theme foisted into iTun
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
Re:Alpha or Beta? (Score:4, Insightful)
Well, firstly, there appears to be some bug with the Safari beta, possibly interacting with your Windows installation.
But Cleartype? Man, that sucks. The worst thing about web browsing on Windows is that text looks like shit. It would be nice to have a Windows browser that does decent text display. This is a huge problem where I work - where web pages are often viewed on a data projector screen for a large audience. Some projectors are hooked up to a Mac, some hooked up to a Windows machine. The output from Windows machines is uniformly terrible - which makes me wonder why they even bother using Windows on machines that drive projectors. In contrast, the Mac web browsers look great. So, if Safari on Windows (if it works) hopefully will provide a way to have a decent way of rendering web pages on large screens, and help us escape the misery of Cleartype and Internet Explorer.
Re: (Score:3, Insightful)
I take it you haven't actually seen IE7 yet? Besides, somehow or other, they've convinced people to actually use iTunes on Windows, so maybe there is hope...
How did this get modded informative? (Score:3, Interesting)
You mean that black letters on white backgroung actually appear as black letters on white backgroud sucks? You really prefer Windows' black-letters-appear-in-rainbow-colors technology?
You're an idiot. All colours on a computer screen are built up by different combinations of primary colours: red, green, and blue. See http://en.wikipedia.org/wiki/Additive_color [wikipedia.org]. 'White' is just all three primary colours turned on full; 'Black' is all three turned off. Normally, letters on a computer screen are created by switch individual whole pixels on and off. The difference with subpixel font rendering [wikipedia.org] is the manipulation of the individual 'subpixels' (the red, green, and blue elements that make
So many keep saying "but it's a BETA" (Score:5, Insightful)
Come on. You have to admit remote execution of any cmd is pretty bad even for a beta. This ain't your run of the mill bug, like a UI glitch or rendering type of bug. It makes the beta unusable and thus not a very useful beta. (Unless you're testing how your own trusted website looks under Safari.)
Re:So many keep saying "but it's a BETA" (Score:4, Insightful)
If they could guarantee they could get the security bugs out before releasing a Beta version, then they'd be able to guarantee they could get all the other bugs out too, so then it wouldn't be a Beta release, but a final release.
You just have to accept that if a company has said "this is a beta release, it will have bugs", that it will have bugs - all types of bugs, not just "safe" bugs. Also, the severity of the effect of a bug has no correlation with how easy it is to locate.
People have become way too complacent about trying beta quality software these days. Don't try it if you don't want to take the risk.
Re:So many keep saying "but it's a BETA" (Score:4, Insightful)
A bug that lets any old script kiddie put up a page that can execute del
No.
Even with a free beta I have a reasonable level of expectation. That the program not destroy my machine with basic usage. That the program not allow remote execution. That the program provide some core functionality as advertised. This version of Safari is well below those expectations.
Re:So many keep saying "but it's a BETA" (Score:4, Insightful)
Second. When Apple posts a direct link to one of its flagship applications on the main page of its website (http://www.apple.com), do you really expect people to understand what a beta is? It's called a beta, but it's not being treated as a beta. With normal betas, a small subset of the userbase will install, test, and use the app. Betas aren't supposed to be marketed with such fanfare. The entire point is to quietly release the beta to permit the beta testing to occur; it's not to push the app to the masses. Apple is advertising this "beta" to everyone and anyone: power user, casual user, grandma user, idiot user, manager user, etc (in order of decreasing acuity). You may know what "beta" means, but your uncle Vince who just completed a course at the public library titled "Learn the Internet 101" does not.
Code quality is measured by bug density: bugs per thousand lines of code. Finding several severe bugs right off the bat is indicative of a fairly high bug density. Lowering bug density involves testing: black box, and white box. Apparently, Apple's idea of testing appears to be letting Dan the marketing guy give it a spin for a couple hours because he's the only one with a non-development Windows desktop. I can hear it now: "Hey, it checks out with Dan, let's PUSH the code!"
This whole thing smacks of a lack of respect for the target platform: Safari on Windows. A lack of respect for the product converts to a lack of respect from me for Apple.
The only ones whining here are the Apple supporters who have long enjoyed bashing Windows users/supporters over the head with security related taunts. I think the only reason the Apple zealots are getting so upset is because this is another chink in Apple's armor. Meanwhile, the rest of us are criticizing Apple for very good reason--that this is the result of sloppiness and carelessness for the consumer.
Apple users: get used to this. Increased popularity means increased scrutiny.
Btw, criticism != whining.
Re:So many keep saying "but it's a BETA" (Score:5, Informative)
It doesn't help that the definition of beta has become muddles over the years.
When I learned the stages of software development, it went something like this:
alpha - Code that doesn't compile or runs incorrectly. Alpha testing is literally checking to see if the code compiles and runs as expected, done by the developers themselves.
beta - The code works now, but there may still be major bugs. A small group of internal testers try it and report any bugs they find. This is now called "closed beta" by MMO developers or "alpha" by the Mozilla team.
gamma - The code works and most major bugs are fixed. The code is released to a large group of testers to find any remaining issues. This is now called "open beta" by MMO developers and "beta" by everyone else.
delta - The finished product. Only maintenance releases are done at this point. New features and major bugfixes are done on the next release. This is called "beta" by Google.
So... it sounds like Apple really does have a beta in the old meaning here, but released it to a large group of people.
There are difference (Score:3, Insightful)
Another hackable part of Safari/Windows (Score:3, Interesting)
Therefore it's possible to use the OSX CoreFoundation and CoreGraphics headers to link to the Windows DLLs natively and create native Windows "psuedo-OSX" apps.
I believe CoreFoundation.dll has been around with WebObjects for Windows NT for a while, but I think CoreGraphics.dll is a new Apple "release" (I remember some anger over Apple not porting CoreGraphics when WebObjects/NT first came out).
I've documented some of what I've poked around today (just a screenshot and simple description for the moment) at http://pages.brianledbetter.com/ [brianledbetter.com]
Re: (Score:3, Insightful)
CoreFoundation and CoreGraphics are APIs that were new in OS X. CoreFoundation is an object-oriented C-based API designed tha
Maybe I need a tinfoil hat... (Score:5, Insightful)
... but the first thing that I thought of was that here you have an app (Safari) that works perfectly fine on Macs; as soon as it gets ported to Windows, BAM, instantly full of vulnerabilities. Would Apple go so far as to break their own product to deface an opponent in the OS arena?
Aikon-
I can see the ads now... (Score:5, Funny)
PC:
Mac is looking through a small viewfinder, looking very absorbed
PC: Hey Mac.
Mac: Yeah?
PC: What are you doing?
Mac: I'm browsing the internet with Safari.
PC: I do the same thing with IE.
Mac: You should try Safari. It's fast, secure, and easy to use.
Mac hands the viewfinder to PC
PC: Oh, thanks.
PC looks into the viewfinder and keels over, dead
Mac shrugs
Safari or Windows vuls? (Score:5, Informative)
IIRC, Firefox had that "URL protocol handler command injection" vulnerability (or something around those lines, correct me if I'm wrong) a few years ago and FF developers said it was the way Windows handles protocols. In the end, they had to change the way URLs are handled inside FF to prevent Windows from catching it.
From here @ WWDC... (Score:5, Interesting)
The vibe amongst the attendees is a weird mix of disbelief and bewilderment. Safari for Windows was not the big deal Steve was hoping it would be. In fact, most of the conversations I've overheard are pretty critical of this direction.
I don't think Apple is serious about competing for market share against FF or IE on Windows. I think they're offering the development platform based on Webkit so that web developers can make sure their code looks OK on the iPhone. Webkit-iness seems to be the only development platform for iPhone Apps.
Or, maybe Steve is starting to drink his own Kool-Aid.
Bringing apps to Windows (Score:5, Funny)
After reading "4 DoS bugs and 2 remote execution vulnerabilities", I'd say: "Pretty good!"
The entire UI is broken (Score:5, Interesting)
Re: (Score:3, Interesting)
I meant that the Mac has a theme engine and Windows has a theme engine. Both have a bunch of APIs that you can call easily from any app to render a button, scrollbar, checkbox etc. in t
Crashes Safari 3 on Mac OS X too (Score:5, Interesting)
Re: (Score:3, Interesting)
From wikipedia -> http://en.wikipedia.org/wiki/Software_release_cyc l e#Beta [wikipedia.org] , this is a prototype / preview / early access.
Report the bugs and they will probably get fixed.
I'm amazed that things like this get to the story line on /. .