report vulnerabilities to Apple because he is a total fsckwad loser attention hound.

Thanks for the news about the vunerabilities, Paris Maynor.

... it's a beta version.

Yeah -- what the hell.

I can understand not sitting on a vulnerability -- there are some valid points both for and against full disclosure -- but not notifying the company at all? WTF.

This is the sort of stuff that just makes the whole IT security industry, and everyone involved in it, look dangerous and irresponsible.

I'm not surprised. Apple really doesn't write more secure code, they just have a lower market share and thus aren't as much of a target.

And alot of their success at security on Mac OS is just them inheriting some of their security from the BSD kernel which I'm positive beats the hell out of the Windows kernel in terms of security.

..."that you should expect bugs in a BETA"

Come on. You have to admit remote execution of any cmd is pretty bad even for a beta. This ain't your run of the mill bug, like a UI glitch or rendering type of bug. It makes the beta unusable and thus not a very useful beta. (Unless you're testing how your own trusted website looks under Safari.)

But I won't be trying it since other Apple products like iTunes and Quicktime still run like crap on Windows.

Thanks but no thanks.

I wondered who'd be the first to launch an ad hominem attack - and look, right in the first comment.

How about we try it this way:

Maynor claims to be a professional security researcher. One of the cornerstones of professionalism in that field is responsible disclosure of discovered vulnerabilities. Another is full disclosure of vulnerability details after a vendor has had a reasonable amount of time to correct the vulnerability. Yet another is working to advance the overall state of computer security. But Maynor has a track record of irresponsible, partial-at-best disclosure: he claims discovery of vulnerabilities while proclaiming that he will not report them to the vendor, and strives to hide the details of his discoveries from open review by his peers in the security community (for example, witness the endless controversy over the alleged MacBook wifi hack, all of which could have been settled quickly and objectively by simple peer review of the exploit he claimed to have used). And none of this can, so far as I can see, be construed as advancing the state of computer security in any fashion.

In other words, there is no sense of the word "professionalism" for his field which seems to be reasonably applicable to Maynor. Before you go screaming "ad hominem" or "Apple Fanboi", take note of two things:

1. All I've criticized here are the man's methods, not the man himself. I don't even speculate to his motives for operating the way he does.
2. I'm typing this on a MacBook Pro, and I do like both it and the operating system it runs, but neither are particularly essential to me -- at this point I can move between (Unix-y) operating systems with relative ease, and occasionally do as needed (prior to this MacBook, I used various forms of Linux exclusively for about six years, and still use them on a regular basis. The only OS I have a prejudice against is Windows, and I've even got that available, virtualized, when I need to test things in it).

I await your reply.

Well the point of a Beta release is to increase the userbase so as to increase the amount of testing.

If they could guarantee they could get the security bugs out before releasing a Beta version, then they'd be able to guarantee they could get all the other bugs out too, so then it wouldn't be a Beta release, but a final release.

You just have to accept that if a company has said "this is a beta release, it will have bugs", that it will have bugs - all types of bugs, not just "safe" bugs. Also, the severity of the effect of a bug has no correlation with how easy it is to locate.

People have become way too complacent about trying beta quality software these days. Don't try it if you don't want to take the risk.

Given the complaints I've seen elsewhere, I think that the quality is closer to alpha stage development. Usually, "public beta" is done on software that's almost ready for use, but has minor bugs. The reports I've seen are that there are a lot of serious bugs in rendering and stability, and now, major security problems.

... but the first thing that I thought of was that here you have an app (Safari) that works perfectly fine on Macs; as soon as it gets ported to Windows, BAM, instantly full of vulnerabilities. Would Apple go so far as to break their own product to deface an opponent in the OS arena?

Aikon-

Indeed. The issue not being that Windows is less secure, but that it's a different platform, and as such would expose any code to completely different vulnerabilities.

Of course it is. There is no way I'd expect my mother to report a bug. However what isn't ridiculous is expecting someone who deliberately seeks out a bug, has the ability to reproduce it, and has blogged about it and also calls themselves a security analyst, to actually report the bug. Heck, only a link to his blog post would probably be helpful to Apple. That takes very little effort on his part, so its not unreasonable to expect it.

Well the point of a Beta release is to increase the userbase so as to increase the amount of testing.

Yea. Increase the userbase. Of course, they just did the opposite and scared them away. Lesson here: never show your unfinished work. A first impression only comes once.

You just have to accept that if a company has said "this is a beta release, it will have bugs", that it will have bugs - all types of bugs, not just "safe" bugs.

A bug that lets any old script kiddie put up a page that can execute del /S c:\* on my PC is beyond the level of anyone's expectation of a bug. Why would I bother with Safari now? Sure. They'll release another, new, improved beta... bug free, but will I trust them?

No.

Even with a free beta I have a reasonable level of expectation. That the program not destroy my machine with basic usage. That the program not allow remote execution. That the program provide some core functionality as advertised. This version of Safari is well below those expectations.

Truth is, if the guy had reported the bugs/vulnerabilities to Apple, they more than likely would have done what they always do, wait months to push a fix out or just deny their existence altogether.

Did you read the disclosure policy?

Keeping with our disclosure policy, we do not report bugs to Apple.

It doesn't say

Keeping with our disclosure policy, we do not wait for a response to the bugs we report.

If it said that, your comment would make sense. That would be something like ... "We don't think Apple will fix it, so we won't wait before announcing it". I could see that (though not agree with it). But "We don't think Apple will fix it, so we won't even TELL them about it" is totally irresponsible. The only "rational" interpretation of that is he actively wants to make it harder to improve the security of Safari.

Do you have a better explanation, or a justification for that approach?

What makes me scratch my head... if these guys can find holes in a few hours, why can't Apple?

Because 100,000k security researchers and hackers all typing away at keyboards will eventually write Shakespeare?

I don't care how bright your engineers are or how well you've planned your security model, the moment you put it on the 'net it WILL be hacked. That doesn't mean it will stay hacked, so much as the task of securing a system against simulated internal attacks will uncover different problems than putting it in the wild.

Eh. iTunes on Windows is alright in my opinion.

It's quicktime that's the absolute mess -- It's gotten better since iTunes came along, but compared to the lightweight framework that it is on the mac, the windows version absolutely sucks. It's just an incredibly sluggish, and somewhat useless media player.

On OS X, Quicktime is essentially a fairly versatile media framework that, given the proper codec, can play just about anything. Virtually all mac applications that require the manipulation of media files utilize it. The file format also allows for some pretty darn cool nondestructive editing -- Final Cut Pro is more or less just a fancy utility for manipulating QuickTime files.

QuickTime player is simply a front-end application that makes use of the framework. Its Windows counterpart is a mere shadow of its former self.

On the other hand, VLC natively plays every format under the sun on every platform under the sun. Come to think of it, it's the only app I know of that works extremely well on all 3 major platforms (Firefox isn't so hot on the mac)

Many people blame the presence of a Windows version for preventing Apple from transitioning iTunes over to a Cocoa app. I can hardly blame them either -- Cocoa apps tend to be a bit more stable and 'snappy' (it's a really nice framework)

I wouldn't completely knock Safari without giving it a chance. Safari itself was based off of KHTML (and the Apple devs still contribute back regularly to the KDE/Konqueror folks). If they ported it once, porting it twice shouldn't be a terribly huge issue once the initial kinks are worked out.

There is no way I'd expect my mother to report a bug.

Why on earth would you be letting your mother run beta software?

They release a beta of a free product, the engine of which (and almost certainly where these bugs are located) is open source, and this "security researcher" finds a bug and refuses to report it. Deep throat he's not.

Hm... I didn't see any TV commercials about Safari on Windows. I did hear about an announcement at an annual conference for developers.

No better day to blow the whistle then the same day it's released. Much smaller chance of a user base being affected by it.

'Ah yes, giving away FREE software and expecting people to use it for FREE.'

Apple is a commercial entity. As long as Apple is still making a profit nothing you get from Apple is free, it may not be the guy browsing but someone is footing the bill. You can certainly bet that Apple didn't just drop their bottom line by the cost of developing and distributing the software.

It reminds me of the last time I called Comcast. I ordered Showtime for the Showtime on demand movies and while the channels came in the video on demand gave an error code (very annoying since I never waste my time watching whatever they are force feeding at the moment and watch what I want when I want with the video on demand). It took them 3 months to fix it and they had the nerve to charge me for Showtime during that time. Naturally I demanded a credit and the girl tried to claim that I was paying for the channels only and the video on demand was a free service they gave me out of the kindness of their hearts so there was nothing to credit. I told her that was wonderful, take away all that expensive programming I pay all that money for and just leave me the free stuff. She told me that it only comes free with the paid programming. I told her to make up her mind, either they are giving me the video on demand for free or they require me to pay them money in order to receive it.

"if these guys can find holes in a few hours, why can't Apple?"

David Maynor has a track record as a publicity whore first and legitimate security researcher second, so whether Maynor has actually found as many bugs as he claims to have found here is up for debate until he provides some more substantial proof. He also has a giant ax to grind after Apple embarrassed him in the AirPort bug fiasco. I'd take anything he says with a grain of salt until he gives me ample reason to trust him again.

Nice policy, by the way: find bugs and don't ever report them to Apple. Because last time you claimed to have reported a bug, Apple exposed you as a liar, so now you just don't bother. That's brilliant. We need more people in the world with that kind of attitude. And Maynor wonders why people don't take him seriously as a "security researcher". The Blogspot-based announcement doesn't help either. That's like your company e-mail address being @hotmail.com.

Thor Larholm, on the other hand, may well have found a legitimate bug. What with this being beta software and all, that's not too incredibly surprising. Equally serious bugs have been found in release versions of Firefox and IE, so I'm not sure what the big deal is here. If Safari 3 ships with these vulnerabilities still unfixed, then people should worry.

p

or you sincerely believe most folks that install stuff know what they are doing?

That is the responsibility they undertake, yes. They may or may not understand all the ins and outs, but it's their responsibility.

so then it is better that people don't know what's in for them when installing it, right?

Based on the blog posting, they STILL don't know what's "in for them," since the vulnerabilities are still undisclosed. They remain in Maynor's to do list, for sale to the highest bidder for all we know.

If you're a linux or MS supporter, don't waste your breath defending this guy. He wasted a year of everybody's time on that Airport vulnerability that didn't exist.

For a browser, to have "easily" testable major bug like remote execution, something which should have been caught a bit before. I disagree totally with the way this security "researcher" handled the bugs, but I also totally disagree taking off the slack because this is a beta. Bug found so quickly by testing a few known vulnerability in browser is something bad. With a big B. Smell of lack of security testing pre-beta.

I didn't say he shouldn't report that there's a bug, I said that he should report the bug to Apple. The beta agreement probably requires that he do that, actually.

And if you're installing a beta then yes, you really should be aware that you're in for some bugs. It's very unfortunate that Google has diluted the meaning of "beta" so much.

Also note that he's not really failing to report a bug to Apple, he's failing to report it to the webkit/khtml open source project. I doubt very much the bugs are in Apple's closed source GUI front end to webkit.

I doubt URL handling is part of the KHTML/KJS renderer; responsibility for acquiring content in Konqueror is done in KIO, so Apple would have had to implement their own content acquisition scheme.

It is possible that the stack failure is in (KHTML/KJS)/WebKit - but as it's not been shown that these bugs apply to either Konqueror or Mac Safari, it's most unlikely that the stack failures are the result of the open portion of the code.

Anyway, as a news story, this is a null set; it's a public beta. It's there for the public to test it and report bugs. It's not a production browser.

I'd be curious, however, to see if these bugs are Windows-only (for example, Mac OS-X and KDE have a URL handling scheme built into the OS that wouldn't be available in Windows; it would need to be implemented as part of Win Safari), or if they apply equally to Windows and Mac.

Next time there's a store near you having a buy-one-get-one-free sale, go on in and tell them you'd rather not have two of whatever it is, and could they please just give you the free one by itself. See how well that works for you ;)

'Next time there's a store near you having a buy-one-get-one-free sale, go on in and tell them you'd rather not have two of whatever it is, and could they please just give you the free one by itself. See how well that works for you ;)'

That's my point. You aren't getting anything free with a buy-one-get-one-free sale. The 'free' ones cost the store money, they are an expense, the store bases its prices on its expenses plus a markup. That 'free' one increased the price of other items in the store. In other words, it wasn't free at all.

If your faith is so easily shaken, then don't install beta software.
Wait until the bugs have been found, and install the final release.

A bug is a bug, and there's nothing special about security related bugs that makes them easier or harder to find than non security related ones, so as I said before, a company cannot guarantee that a product will have no security bugs unless they can guarantee that it will have no other unknown bugs. Obviously they can choose to fix the security bugs over the non security ones, but as long as there are bugs they have not discovered, then those undiscovered bugs can be security related. That's just how it is, and no amount of whining will change that.

Close. OpenStep for Windows NT made available FoundationKit and AppKit, which are the two major Objective-C frameworks of OS X and the core of Cocoa. They continued to be available on Windows through early versions of WebObjects 4, but are no longer available in any way from Apple. These are two of the frameworks that the GNUstep project [gnustep.org] aims to clone, with varying degrees of success.

CoreFoundation and CoreGraphics are APIs that were new in OS X. CoreFoundation is an object-oriented C-based API designed that parallels FoundationKit class-for-class. Although it's been (partially) available on Windows in the form of CF-Lite (http://developer.apple.com/opensource/cflite.html [apple.com]), it never shipped with any version of WebObjects. CoreGraphics is the technical name for what Apple marketing calls Quartz, and is Mac OS X's low-level C-based drawing API. This is the first time, as far as I know, that it's been available on Windows, though iTunes 7 probably uses it statically linked.

The messenger says something along the lines of:
"The Trojans are going to attack tonight. There'll be at least five cohorts, but I can't tell you where there coming from, or the time of the attack, because you know, that'll spoil all the exciting fun."

What does it matter..the total amount of Safari for Windows users is what? A few thousand? He was definitely irresponsible putting all of those people who decided to try out beta software in harms way. [/endsarcasm]

What did he achieve? He managed to make Apple look stupid with their crap about how secure they are. He wasn't even trying and find holes in their software.

Oh and I own two Macs before anyone calls me a fan boy of something else.

It's very unfortunate that Google has diluted the meaning of "beta" so much.
It's very unfortunate that the rest of the industry (especially MS) has diluted the meaning of "gone gold" so much. Gold is the new beta; beta is the new alpha.

No. But put it this way...

Let's say there's something built atop an open source library. Hey, there's plenty of them out there... let's pick OpenSSL as an example. It's open source and it's used in other projects, some of which are commercial or proprietary systems. Now assume that some company makes a proprietary, closed product built on that project as the core, but continue to contribute changes -- a heck of a lot of changes -- back to the original project as the develop. And then they release this as a beta.

Finally, let's say that someone finds a vulnerability in the proprietary project, a security issue with implications for the open source project. And instead of reporting the vulnerability to the proprietary folks (who would probably promptly generate a patch for both their tool and the underlying library, the person refuses to report the vulnerability to anyone and just says 'I found vulnerabilities, but I'm not telling you what they are.'

That's basically how WebKit/KHTML and Safari are tied together. Safari's just a UI atop an open source framework, WebKit, which Apple is the primary contributor to but which other people also contribute to, and which other projects (besides Safari and OS X) use. WebKit is used on Symbian OS, on Linux, and various other operating systems. And this guy is claiming to have found vulnerabilities which, given where they occur, seem to have implications for WebKit as well as Safari... and is refusing to give the details to either Apple, or to the WebKit development community.

You don't have to be an Apple 'fanboi' (or fangirl) to see that's not the way to handle security disclosures. If someone found several bugs in Firefox and said 'ZOMG I can crash Firefox or anything which uses the Gecko HTML engine. I can do it 100% of the time. But I'm not going to report the details to the Firefox team, so, nyah!' people would be up in arms about it.

Professional, good security researchers report things to the responsible parties, giving them the details necessary to fix it. Going, "Ha ha, I found a way to break your stuff but I'm not going to tell you how" is not only unprofessional, it's just downright immature.

Sure, lambaste Apple for releasing a beta/preview of something with bugs if you feel you must. But, please, don't bother trying to defend someone who basically makes a mockery of the entire security field.

Security flaw found in the beta version. Okay. Last time I checked didn't beta version basically mean = "It seems to be pretty much working, but we're not sure it's ready for primetime"

And I believe the reason you even would put a public beta out is, amongst other things, to find stuff like this and fix it before you put out the full gaurenteed version. If someone downloads a beta they should realize that there is less than 100% confidence that it won't have problems.

This is why beta versions are often limited to assigned testers, development partners etc.

Here comes my cheap-ish shot at Microsoft: It's one thing to have some problems and holes in the beta version. It bothers me less than when those are on the full release after a two major service packs and numerous patches...

Offtopic here, but that's generally a really severe pressure that game developers get from their publishers, unfortunately. It's particularly severe there; it is not as if you have 'Electronic Wordprocessor Monthly' grading the latest import productivity apps, and raising the hype on them all.

("Capcom ExpenseBlaster 3 Turbo gets an 8/10 for the blazing next-generation way it lets me balance my checkbook!" "I'm sorry, but this one felt lacking to me. It was anemic in terms of features, especially compared to other contenders like Rockstar's 'Grand Theft Accounting,' and the money-laundering options. Only a 4/10.")

That doesn't stop people from proclaiming doom and gloom and trying to point out alternative software if non-game products slip, of course. Which means more than game developers get the market pressure to just 'get a 1.0 app out there, and patch it later,' albeit a bit less than game developers do. Which sucks, but... the cause of this one unfortunately lies with both the developers and consumers, I think.

If your faith is so easily shaken, then don't install beta software. Wait until the bugs have been found, and install the final release.

First. I refuse to have faith when the fatal flaw involves an extremely simple usage of protocol handlers, which would be the first thing to test when testing for security.

Second. When Apple posts a direct link to one of its flagship applications on the main page of its website (http://www.apple.com), do you really expect people to understand what a beta is? It's called a beta, but it's not being treated as a beta. With normal betas, a small subset of the userbase will install, test, and use the app. Betas aren't supposed to be marketed with such fanfare. The entire point is to quietly release the beta to permit the beta testing to occur; it's not to push the app to the masses. Apple is advertising this "beta" to everyone and anyone: power user, casual user, grandma user, idiot user, manager user, etc (in order of decreasing acuity). You may know what "beta" means, but your uncle Vince who just completed a course at the public library titled "Learn the Internet 101" does not.

a company cannot guarantee that a product will have no security bugs unless they can guarantee that it will have no other unknown bugs.

Code quality is measured by bug density: bugs per thousand lines of code. Finding several severe bugs right off the bat is indicative of a fairly high bug density. Lowering bug density involves testing: black box, and white box. Apparently, Apple's idea of testing appears to be letting Dan the marketing guy give it a spin for a couple hours because he's the only one with a non-development Windows desktop. I can hear it now: "Hey, it checks out with Dan, let's PUSH the code!"

This whole thing smacks of a lack of respect for the target platform: Safari on Windows. A lack of respect for the product converts to a lack of respect from me for Apple.

That's just how it is, and no amount of whining will change that.

The only ones whining here are the Apple supporters who have long enjoyed bashing Windows users/supporters over the head with security related taunts. I think the only reason the Apple zealots are getting so upset is because this is another chink in Apple's armor. Meanwhile, the rest of us are criticizing Apple for very good reason--that this is the result of sloppiness and carelessness for the consumer.

Apple users: get used to this. Increased popularity means increased scrutiny.

Btw, criticism != whining.

I have been a loyal Safari user ever since the application came out. I have enjoyed it's speed and the many cool features that have since become commonplace in most browsers.

However, recently I finally gave up and moved to Camino. I got tired of the frequent Safari crashes, the many websites where you have to use Camino anyway because Safari doesn't work with them, and --in this case the most important point-- the nagging feeling that Apple was not doing a thing to improve Safari.

Now we know why. They have pulled their forces to make a version of Safari for Windows. Dumb move, when work is so desperately needed on the Mac version, and everybody knows that Windows users hate programs with a Mac interface.

As a Mac user, I am disappointed with Apple. I expect them to do work for me and not for the Windows crowd. And I'll stick with Camino.

Ask them, IE 5 WAS ported with the windows theme.

Well not entirely - IE 5 had a fruit flavoured theme to go with iMacs of the day, and the UI was distinctly Mac like. But Mac users have certainly gone batshit crazy over past versions of Office.

Windows users tend to be more levelheaded and / or apathetic. Instead of protesting, they'll simply ignore Safari altogether. The Safari 3.0 UI in Vista is awful - totally nonstandard in every respect. It's bad enough to have an Aqua-esque theme foisted into iTunes (at least most secondary dialogs paid some lipservice to the system theme) but it's even worse in Safari where everything picks up Aqua. The perverse part is that OS X apps call a theme engine to render widgets. So Apple must have ported the theme engine to Windows and hardcoded it into Safari rather than using the one in the operating system.

I really don't see any reason that Safari will take off on the Mac until it tries to integrate. Ironically the reason Safari succeeded at all on the Mac was because of Apple's dissatisfaction with Firefox & Camino (an OS X app using Gecko) for not being native looking enough. Now they're foisting a totally alien Safari onto another OS and expecting it to take off - it's not gonna happen.

Or how about everyone stop treating their choice of operating system as a religion? Hmm?

Uh, I don't know what planet your Firefox is from, but the only thing about Firefox that looks like a Mac are the window glyphs in the corner. As for the Windows version, I'd hardly call it a "Windows" look. It looks like a GTK app, which is a Linux look modeled after Windows. The coloring is specifically targeted for Windows. It doesn't look like either a KDE app or a Gnome app in Linux.

Firefox looks roughly the same on all platforms. So does Safari, now that it has grown to multiple platforms.

That's a nice way to get karma! If you post a comment that you suspect is going to be modded insightful, remember to include some errrors, so you can post a correction and get some more positive moderation for the second comment! ;-)

(...waiting for this comment to be modded insightful)

Well, firstly, there appears to be some bug with the Safari beta, possibly interacting with your Windows installation.

But Cleartype? Man, that sucks. The worst thing about web browsing on Windows is that text looks like shit. It would be nice to have a Windows browser that does decent text display. This is a huge problem where I work - where web pages are often viewed on a data projector screen for a large audience. Some projectors are hooked up to a Mac, some hooked up to a Windows machine. The output from Windows machines is uniformly terrible - which makes me wonder why they even bother using Windows on machines that drive projectors. In contrast, the Mac web browsers look great. So, if Safari on Windows (if it works) hopefully will provide a way to have a decent way of rendering web pages on large screens, and help us escape the misery of Cleartype and Internet Explorer.

QuickTime player is simply a front-end application that makes use of the framework. Its Windows counterpart is a mere shadow of its former self.

Based on the wording you used, when you said "Its Windows counterpart," I thought you were referring to Windows Media Player, which, as I understand it, is just a(n ugly) GUI over top of DirectX Media. Fortunately, there are alternate players, such as Media Player Classic [sourceforge.net] (an open source player that resembles Windows Media Player 6.4 with some extra features) and additional codecs, including one to play Quicktime [free-codecs.com] files.

I wouldn't completely knock Safari without giving it a chance. Safari itself was based off of KHTML (and the Apple devs still contribute back regularly to the KDE/Konqueror folks). If they ported it once, porting it twice shouldn't be a terribly huge issue once the initial kinks are worked out.

I'd consider using it if it didn't completely ignore some of Windows' GUI conventions. I hate skinned apps, with a passion. I tolerate Opera and Firefox simply because they have skins that resemble my OS... thanks to a "feature" of Windows dealing with Window Handles [msdn.com], even Internet Explorer has to recreate all the Windows controls that it wants to use (except <select> up through IE6) rather than using OS native widgets.

Other than the obvious non-standard widgets, you have

1. Missing application menu in the upper-left corner. This menu contains menu items for Minimize, Maximize, Restore, Move, and Size. This menu is still accessible via its keyboard shortcut (Alt-Space). Present since: At least Windows 3.0, 1991
   
2. Missing minimize animation. Present since: At least Windows XP, 2001
   
3. Maximize/Restore animation is odd, it resizes one dimension at a time. Windows itself resizes both dimensions at a time. Present since: At least Windows XP, 2001
   
4. Resizing can only be done from the lower-right corner. Windows allows resizing from all four sides and corners. Also, the cursor does not change when moved over the resize area. Present since: At least Windows 3.0, 1991
   
5. Clicking on the Safari icon in the taskbar when it is minimized performs the restore operation, even if the Window was maximized before... in other words, it shows the window maximized for a split second, then resizes it.
   
6. You can resize a maximized window. Windows programs normally don't let you do this.
   
7. Clicking on a taskbar icon for a window that is currently in front should minimize that window. Present since: Most likely Windows 95, 1995.
   
8. Some dialogs are missing close buttons. History, Show All History and Help, About Safari off the top of my head. In fact, the only way I found to close the History window was counterintuitively through Bookmarks, Hide All Bookmarks.

I think the company you're looking for is Mirabilus. Mirabilus diluted the meaning of Beta. Thanks for playing.

not to be mean but
  It's a friggin BETA!!!!!

it's supposed to have bugs in it.

besides it's not like IE where the bugs are in the shipping version and part of it's core design.

He's correct though. This isn't related to Apple in any way, it's related to mature, professional disclosure of computer software bugs, holes and issues to the maintaining company so that they can fix it, and thus keep computers secure.

[note: I'm not the 'you' referred to in the parent]
Why would someone announce that he's found a vulnerability but refuse to disclose it to the vendor? Some ideas:
a) He wants to hurt the reputation of the product/vendor. (This doesn't even require the existence of a real vulnerability.)
b) He wants to sell the specifics vulnerability, either to the vendor or to the highest bidder (in which case, this is advertising).
c) He doesn't care about the security side of things, he's just earning himself some free PR on sites like this which will publish his unsupported claims uncritically.
d) This is his idea of fun.

Anything I've missed?

Citing the blog:


UPDATE 5: I've been asked what our disclosure policy is. Its pretty simple, in most cases we will give vendors as long as they need to fix problems. If the vendor is unresponsive or make threats, we will give them 30 days then release details. If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pentesting. We do not sell the vulnerabilities to any 3rd party.

Seems the very likely scenario that they reported a critical vulnerablity and Apple tried to troubleshoot them "Is the network cable plugged in?" or "Our software is absolutely secure, your don't need to worry about it, our software has been throughoutly tested." or such. A security expert who gets flushed down the toilet by a marketoid is quite likely to hold a grudge against given company and report the following bugs elsewhere than said company.

I'll bite. Maynor described vulnerabilites. Maynor immeadately goes public with Mac vulnerabilites because he (in the past anyway) has claimed that Apple has ignored private disclosures. I've has exactly the same experience (many years ago) so I can support him on this point.

The primary question is: Are the vulnerabilites real? If so, then Maynor has provided a valuable service to the community out of the kindness of his heart. Period. Whining about him not telling Apple first is just whining. When YOU do the work then YOU can choose how to release the info.

I also seriously take umbrage at the notion that immeadiately disclosing vulnerabilites is somehow "unprofessional". Is is MORE professional to leave production environments vulnerable while you're waiting for the vendor to get his act together and send you a patch?

How the hell do you think this works in the Linux world, the world you supposedly come from? Most vulnerabilites are immeadately disclosed on Linux, because open source allows anyone to produce patches quickly, but according to you that is somhow "unprofessional".

I call bullshit. This is like someone sneaking up to a house (or downloading a public beta of it), trying all the doors and finding one unlocked. Then this person goes on their blog and posts a public notice saying that 1 Infinite Loop has a door unlocked, so you should go look for it. Do with it what you will. I am only looking for unlocked doors as a public service. Bullshit. You're looking for unlocked doors because you dislike the residents of 1 Infinite Loop. You're not helping _anyone_ make their homes more secure.

Yes. Every application release ever by a large company was irresponsible. And why limit it to large companies? No software should ever have been released because they all contain bugs which could be exploited by hackers!

What Maynor does is absurd. We all know software has bugs. The developers must be held accountable. But you can't do that unless you tell them what the hell the bug is, because they can't fix the bug until you tell them what it is!

I wondered who'd be the first to launch an ad hominem attack - and look, right in the first comment.

Thanks for reaffirming my faith in Apple Fanboi nature.

I wondered who'd be the first to call anyone who didn't scream 'Apple are teh sux0r' a fanboi - and look, right there in the second comment.

BTW, incorrectly using a latin phrase [slashdot.org] in an effort to look clever just makes you look like a pretentious twat.

I don't get why Apple thinks the average Windows user would want a significantly altered browser that looks nothing like the rest of the operating system he or she is using.

I take it you haven't actually seen IE7 yet? Besides, somehow or other, they've convinced people to actually use iTunes on Windows, so maybe there is hope...

Before people start jumping on you (oh, too late) they should look at any of Apple's security updates. Apple routinely credits the people who report vulnerabilities. The majority of "bugs" in security updates are patches to third party stuff from the OSS community, and Apple finds stuff internally, but if you report a vulnerability and Apple patches it they credit you.

for example, in Security Update 2007-5 [apple.com]

mDNSResponder

CVE-ID: CVE-2007-2386

Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9

A remote attacker may be able to cause a denial of service or arbitrary code execution

Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, a remote attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets. This issue does not affect systems prior to Mac OS X v10.4. Credit to Michael Lynn of Juniper Networks for reporting this issue.

and

VPN

CVE-ID: CVE-2007-0753

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: A local user may obtain system privileges

Description: A format string vulnerability exists in vpnd. By running the vpnd command with maliciously crafted arguments, a local user can trigger the vulnerability which may lead to arbitrary code execution with system privileges. This update addresses the issue by performing additional validation of the arguments passed to vpnd. Credit to Chris Anley of NGSSoftware for reporting this issue.

So shut up and read up before making up claims about how Apple hates security researchers.

Maynor might be a liar or confused about the vulnerabilites. This dos not seem to be the case based on my reading, and nobody seems to be saying that the vulnerabilites he found did not exist.

The issue seems be the notion that it is somhow "wrong" for Maynor to disclose the vulnerabilites without informing Apple and giving them time to fix it. Maynor claims that IN THE PAST Apple has been uncooperative WITH HIM. So based on his OWN PAST EXPERIENCE he chose to release the vulnerabities publically. He did nothing wrong.

Frankly, I'd be a little pissed off. Maynor is doing valuable free work for Apple and he's getting pissed on by the Apple community for it.

I'm pretty sure the "bug" button is prominent in the Safari Beta UI for a reason, and being an attention hound isn't it. If this guy found bugs, he should push the damned bug button and report it back to Apple. After he's done that, he can blog about it to gloat, inform, or whatever else he feels he should do. But to blog/gloat/inform before sending the report to Apple (remember, it's one fricking button) is just asshattery.

...you can release a public beta and have have thousands of publicity whores do top notch security analysis of your beta for free?

Oh, grow up. Maynor is, by definition, someone no one should care about. If he reported his vulnerabilities, he would be worth listening to. Since he does not, he is not.