Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Safari 3.1 For Windows Violates Its Own EULA, Vulnerable To Hacks

Posted by Zonk on Thu Mar 27, 2008 08:45 AM
from the you-have-chosen-poorly dept.
Businesses Security The Internet Apple
recoiledsnake writes "The new Safari 3.1 for Windows has been hit with two 'highly critical'(as rated by Secunia) vulnerabilities that can result in execution of arbitrary code. The first is due to an improper handling of the buffer for long filenames of files being downloaded, and the second can result in successful spoofing of websites and phishing. This comes close on the heels of criticism of Apple for offering Safari as a update for approximately 500 million users of iTunes on Windows by default, and reports of crashes. There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites." Further, Wormfan writes "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs." Update: 03/27 17:23 GMT by Z : Dave Schroeder writes with the note that the license has been updated to correct this mistake.
+ -
story

Related Stories

[+] Technology: Mozilla CEO Objects To Safari Auto Install 768 comments
hairyfeet writes "Do you use iTunes on Windows? If so you may be getting the gift of Safari from Apple whether you want it or not, and Mozilla CEO John Lilly is not happy about it. After his daughter was offered Safari as a 'bonus update' with a recent update to her iTunes software, Mr. Lilly says on his blog, 'What Apple is doing now with their Apple Software Update on Windows is wrong. It undermines the trust relationship great companies have with their customers, and that's bad — not just for Apple, but for the security of the whole Web.' He also pointed out the check box is already clicked when you go to update meaning you have to opt out, not in and that it lists Safari as getting an update even if you don't have it installed." Update: 03/21 21:44 GMT by KD : Corrected the name of the Mozilla CEO; also linked directly to his blog.
Firehose:Safari 3.1 for Windows found vulnerable by recoiledsnake (879048)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Safari 3.1 For Windows Violates Its Own EULA, Vulnerable To Hacks 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Acidity (Score:5, Funny)

    by n3tcat (664243) on Thursday March 27 2008, @08:53AM (#22880498) Homepage
    So Acid 4 will include security tests too now, right?

  • Some ideas are not so good (Score:5, Insightful)

    by Miros (734652) * on Thursday March 27 2008, @08:55AM (#22880520) Homepage
    Sometimes it's just really not a good idea to push a piece of software out to hundreds of millions of people on its first release just because they use/update your other products. This is the real way that it could come back and bite them, and it certainly seems to have.

  • I wonder... (Score:5, Funny)

    by Fenice (1156725) on Thursday March 27 2008, @08:55AM (#22880530)
    ...if Apple can sue itself for proposing illegal installs of safari on windows?

  • It was bound to happen (Score:5, Insightful)

    by downix (84795) on Thursday March 27 2008, @08:56AM (#22880532) Homepage
    EULA's have gotten to the point that they conflict with themselves. One can then assume that Safari is intended for the Windows install on Mac machines, *or* on machines to which someone has applied an Apple brand sticker.

    I am waiting for the EULA that requires all users to declare the programmer their god and send off their first born child to him in sacrifice.

  • Violating the EULA (Score:5, Interesting)

    by sm62704 (957197) on Thursday March 27 2008, @09:01AM (#22880566) Journal
    How can you violate an agreement that you never agreed to? Does Microsoft have a copy of a contract with my signature on it saying I'll accept its terms of use for XP? If I had Safari would Apple have a signed contract?

    When I go to best buy I don't "license" an OS or piece of software; I pick a box up off the shelf, pay money for it and am delivered a purchase reciept. I then own the goods that I just BOUGHT. I am under no statutory obligation to read anything or sign anything. I tear open the box and do what I want with it, short of violating copyright law.

    Your EULA is fiction, and until I see one stand up in court I'm going to ignore it.

    -mcgrew

    • Re:Violating the EULA (Score:5, Insightful)

      by ari_j (90255) on Thursday March 27 2008, @09:06AM (#22880608)
      You are mistaking "signature" and "agreement." Signatures are not a prerequisite to a valid contract, they are merely very good evidence of agreement. You can get out of some contracts you signed and you can be held to some contracts you didn't. The lack of a signature is not the reason EULAs are of questionable enforceability.

    • You can stop ignoring them (Score:5, Interesting)

      by hassanchop (1261914) on Thursday March 27 2008, @09:09AM (#22880638)
      http://en.wikipedia.org/wiki/ProCD%2C_Inc._v._Zeidenberg [wikipedia.org]

      "ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir., 1996), is a United States contract case involving a "shrink wrap license". The issue presented to the court was whether a shrink wrap license was valid and enforceable. Judge Easterbrook wrote the opinion for the court and found such a license was valid and enforceable."

      They've been held up in court. The issue isn't totally decided, with other cases dealing with more specific issues, but your "nah nah nah MARY HAD A LITTLE LAMB nah nah nah" fingers in the ears stance may not be legally prudent.

    • Re:Violating the EULA (Score:5, Informative)

      by Kjella (173770) on Thursday March 27 2008, @09:26AM (#22880806) Homepage

      Your EULA is fiction, and until I see one stand up in court I'm going to ignore it.
      I guess you better close your eyes and hum real loud then. I'm not saying it's universal, but to take a few examples from the wikipedia page in Brower v. Gateway "the Supreme Court of New York ruled that the terms of the shrink-wrapped license document were enforceable because the customer's assent was evident by his failure to return the merchandise within the 30 days specified by the document." And regarding click-wraps: "Click-wrap licenses have met with more support in the courts, though notable counterexamples exist. In ProCD v. Zeidenberg, the license was ruled enforceable because it was necessary for the customer to assent to the terms of the agreement by clicking on an 'I Agree' button in order to install the software."

      The whole section on enforcability starts with "The enforceability of an EULA depends on several factors, one of them being the court in which the case is heard. Some courts that have addressed the validity of the shrinkwrap license agreements have found some EULAs to be invalid, characterizing them as contracts of adhesion, unconscionable, and/or unacceptable pursuant to the U.C.C." If you read between the lines, it says "No court has rejected EULAs outright". If you're outside the US, it seems to be much the same. Yes, Germany declared the bundling with Windows to be unenforcable, but the EULA as such still remains. In short, you're talking about the way you want it to be not legal reality except possibly in Kansas where there was a ruling agreeing with you.

  • Fine by me (Score:5, Funny)

    by asc99c (938635) on Thursday March 27 2008, @09:03AM (#22880590) Homepage
    My iPod came with a big Apple sticker which for some reason I did stick on my PC. Guess I'm OK to use Safari then.

  • Profit? (Score:5, Funny)

    by crt (44106) on Thursday March 27 2008, @09:20AM (#22880738)
    Step 1: Install Safari on millions of unsuspecting Windows PCs
    Step 2: Sue non-Mac owning PC users for violating EULA
    Step 3: ???

  • A buffer overflow? In 2008? Seriously? (Score:5, Interesting)

    by pyrbrand (939860) on Thursday March 27 2008, @11:11AM (#22882050)

    Man, they're not even trying are they? This day an age, not only is there no excuse to ship with such a basic flaw, there's really no excuse to be programming in a fashion that would allow it. It's so easy to audit for basic overflows (at least on Windows) that it's silly. Even just compiling /GS with VC++ should protect you against a lot. Seriously, people give MS a bad rap these days, but any exploit you're going to see in their software these days usually takes advantage of complex system interactions or odd exception throwing.

    Apple should take a serious look at their coding practices and consider banning the use of unsafe CRT functions and using _s versions of any C functions their using (Visual C++ has them and they're part of the next standard) or at a minimum requiring audits of all raw pointers. Static analysis tools should also be mandatory and should catch most issues.(http://www.spinroot.com/static/)

    • Re:It has begun... (Score:5, Funny)

      by Divebus (860563) on Thursday March 27 2008, @08:53AM (#22880502)

      "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs."
      Damn! Now, where did I put those Apple stickers?

          • Re:It has begun... (Score:5, Funny)

            by erc (38443) <erc@pobo[ ]om ['x.c' in gap]> on Thursday March 27 2008, @10:44AM (#22881748) Homepage
            I used to work for Sun back in the early 90's, when Linux was first getting off the ground. We had finally gotten X to run under Linux, and so I figured I'd see what it would do on a 386SX/25 laptop with 16MB of RAM. It was pretty slow, but as long as I wasn't doing anything it was fine. When the screensaver kicked in, I saw the traditional Sun logo, and that gave me an idea for a prank.

            I went down to engineering and got one of the old metal Sun logos, the ones that used to be on the front of Sun-2 boxes, and put it over the logo of the laptop, fired it up in my office, and waited for the first victim to wander by. A while later, one of the senior software developers walked into my office to ask me something, and spied the laptop with the Sun logo and the screensaver running with the Sun logo on it. "How'd you get a Sparc laptop? I didn't think they were in production yet!" I have lots of friends ... [chuckle]...

            It didn't take long for the prank to be found out, but it sure was fun for a while... :)

            Reminds me of the time that I got Wine running under A/UX (Apple's version of UNIX, SVR4 flavor) - I was working for Apple at the time, and it was fun to see people's faces when they'd come by and see the Windows logo on the screen on what was obviously a Mac, but that's a story for another time. Sure was a fair bit of work, but it worth the prank value... :)

      • Re:It has begun... (Score:5, Insightful)

        by Mattsson (105422) on Thursday March 27 2008, @09:08AM (#22880624) Homepage Journal
        Also, if you do choose to buy an ipod, you don't have to use itunes.
        You don't even have to use apple-firmware in your ipod. There's an upgrade-firmware [rockbox.org] that makes itunes totally obsolete.
        It's not available for all ipod-models yet though...

        All in all, though, an installer that offers the option of installing irrelevant software (like installers that offer "google toolbar" or "Safari" or "superduper spywareinstaller") should have that option unselected as default.

        • Re:It has begun... (Score:5, Interesting)

          by AvitarX (172628) <me@@@brandywinehundred...org> on Thursday March 27 2008, @09:18AM (#22880724) Journal
          The EULA is not a red herring.

          People are having software that they have no license to use being automatically installed on their systems. I would think a term like that is not valid (non-obvious terms may not be valid in the US), but if it does hold, they will have millions of people in the US infringing on their IP. If they decide they are desperate and start suing (not likely any time soon) there are a lot of potential targets.

          This is like the RIAA giving away MP3s on their website, saying "you agree to listen to this on only RIAA approved devices". When you suddenly have millions of people acting innocently illegally using your product it is not good for them.

              • Re:It has begun... (Score:5, Insightful)

                by MrNaz (730548) on Thursday March 27 2008, @10:18AM (#22881442) Homepage

                The security issues isn't the real problem here, all software has them from time to time.

                Oh blow me. Can you imagine the shitstorm of a comment thread that would result from this exact same thing being the result of MS's doing? The massive gaping security hole *is* a big deal, it is not made less so just because Apple did it and not MS.

                And what the hell are you talking about with MS giving guidelines? You mean like, MS should give you guidelines on what you should and should not do with your PC? Dude, seriously, where the hell did you come up with your ideas?

        • Re:It has begun... (Score:5, Funny)

          by grahamd0 (1129971) on Thursday March 27 2008, @09:56AM (#22881186)

          If Safari becomes the default browser on these systems, you end up with critical vulnerabilities in a browser installed on non-tech-savvy individuals' computers.

          Good god, man! We've got to get them back on Internet Explorer!

        • Re:It has begun... (Score:5, Informative)

          by Zonk (troll) (1026140) on Thursday March 27 2008, @10:57AM (#22881898)

          Considering Apple's notorious heavy-handedness in their software updates and the aggressive way their software "takes over" your computer when installed, I wouldn't install a piece of Apple software on my computer if you put a gun to my head (I'd as soon install Realmedia player). I used to put Quicktime on my system, but I got so tired of putting up with that sneaky turd (would NOT let you completely uninstall it, insisted on always running in the background no matter what you did to stop it, would try to sneak its way back into your registry even if you deleted its entries, aggressively took over neutral file types, would constantly try to trick you into installing iTunes too, etc.) that I finally refused to even install that much (I use "Quicktime alternative").


          Anyone who installs Apple software had better be prepared to join the cult, otherwise stay the hell clear of it.

          I agree with that, but if you need Qucktime support in, say, an organziation there is a way around that without using Quicktime Alternative.

          Download the installer. Run cabextract on it. You'll get the following files:

          AppleSoftwareUpdate.msi
          QuickTime.msi
          QuickTimeInstallerAdmin.exe

          Only install Qucktime.msi. Delete the others. Just do msiexec /qn /i Qucktime.msi.

          Then run this registry file:


          Windows Registry Editor Version 5.00

          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "QuickTime Task"=-


          Make sure to delete the shortcuts so users can't bring it up. Doing it this way will let the browser plugins work, and also enable software that uses quicktime to work (lots of educational software uses it) without being hostile to your system. It will only take the quicktime file extensions this way.

    • I think you're not reading closely enough (Score:5, Informative)

      by hassanchop (1261914) on Thursday March 27 2008, @09:02AM (#22880576)

      "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs."


      I got Safari as part of the iTunes update. I have a non-Apple Windows machine, running Safari. They basically forced the software on me, and the EULA says I can't use it.

      Does that answer your question?

    • Re:Hardly surprising (Score:5, Interesting)

      by Shados (741919) on Thursday March 27 2008, @09:44AM (#22881034)
      B...b....but Apple is not a monopoly! That means they can and SHOULD do this!!! /sarcasm.

      Seriously though, Apple is allowed legaly for said reason, but I never understood why people accept it... I mean, last I checked, when Microsoft -started- doing that crap, they weren't a monopoly either...and look where it got us.

      That being said...watching a media player (iTune)conflict with a RAID (I swear Ive seen that happen) is quite amusing... Just exactly WHAT is that stupid thing doing anyway?

    • Re:Hardly surprising (Score:5, Informative)

      by Jeff DeMaagd (2015) on Thursday March 27 2008, @10:20AM (#22881464) Homepage Journal
      I call BS. I just uninstalled iTunes and there's no background process or anything like that running, and no executable remaining. Maybe the program should have offered to remove the program preferences in your account, but there's no binary there.

      That "spyware" service you refer to is just a notifier to open iTunes when an iPod is connected. That's all it does. It's hardly malicious, and it doesn't report to Apple what you do with your computer.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.