Forgot your password?
typodupeerror
Bug Businesses Security Apple

Apple Safari On Windows Broken On First Day 595

Posted by kdawson
from the bigger-they-come dept.
An anonymous reader writes "David Maynor, infamous for the Apple Wi-Fi hack, has discovered bugs in the Windows version of Safari mere hours after it was released. He notes in the blog that his company does not report vulnerabilities to Apple. His claimed catch for 'an afternoon of idle futzing': 4 DoS bugs and 2 remote execution vulnerabilities." Separately, within 2 hours Thor Larholm found a URL protocol handler command injection vulnerability that allows remote command execution.
This discussion has been archived. No new comments can be posted.

Apple Safari On Windows Broken On First Day

Comments Filter:
  • Re:it's beta (Score:3, Interesting)

    by josepha48 (13953) on Monday June 11, 2007 @11:15PM (#19473745) Journal
    I have noticed posts like this on /. in the past year or so. Someone releases a beta and then people say it has bugs and it is broken. They said the same thing when IE7 beta's were released. What is it about the word beta that people on /. don't get?

    From wikipedia -> http://en.wikipedia.org/wiki/Software_release_cycl e#Beta [wikipedia.org] , this is a prototype / preview / early access.

    Report the bugs and they will probably get fixed.

    I'm amazed that things like this get to the story line on /. .

  • by gbulmash (688770) * <semi_famous@yah o o . com> on Monday June 11, 2007 @11:19PM (#19473773) Homepage Journal
    What makes me scratch my head... if these guys can find holes in a few hours, why can't Apple? It's not like these guys spent months to find some really obscure bug. They banged away with known attack vectors and got near-instant results. In a case like that, "it's a beta", particularly when it's been hyped at a big event, rings VERY hollow.

    IMO... If you release it quietly, so only the diehards are really pounding it, you can keep the "it's a beta" excuse. If you hype the release, you lose the excuse.

    - Greg
  • by DA_MAN_DA_MYTH (182037) on Monday June 11, 2007 @11:23PM (#19473795) Homepage Journal
    Maybe they should start paying for the world. Releasing buggy software and expecting people to QA it for you FOR FREE is insane. Maybe apple, microsoft, and the rest of these asshole companies should start hiring some decent testers. You fanbois can stop whining too, or are you offering to compensate these guys for bug testing your favorite lame software?

    Ah yes, giving away FREE software and expecting people to use it for FREE. In turn for that FREE use, if someone finds a bug it's absolutely ludicrous to expect them to report it.

    Now mind you I understand why they may be giving it out for FREE, probably so people can FREEly develop for the iPhone, widgets and browser.

    Maybe they should have created an IDE that wasn't FREE so you can pay for the tools to develop on their FREE platform, and use that money to pay for the QA department, so I can be FREE of you haters and your whining.
  • by Bri3D (584578) on Monday June 11, 2007 @11:25PM (#19473815) Journal
    Apple includes CoreFoundation.dll and CoreGraphics.dll, which have the same exports as the OSX frameworks.
    Therefore it's possible to use the OSX CoreFoundation and CoreGraphics headers to link to the Windows DLLs natively and create native Windows "psuedo-OSX" apps.
    I believe CoreFoundation.dll has been around with WebObjects for Windows NT for a while, but I think CoreGraphics.dll is a new Apple "release" (I remember some anger over Apple not porting CoreGraphics when WebObjects/NT first came out).
    I've documented some of what I've poked around today (just a screenshot and simple description for the moment) at http://pages.brianledbetter.com/ [brianledbetter.com]
  • Re:Alpha or Beta? (Score:3, Interesting)

    by cowscows (103644) on Tuesday June 12, 2007 @12:04AM (#19474127) Journal
    I have no inside knowledge of any of Apple's plans, but I wonder if they didn't sort of rush the Safari for Windows beta release to quell a bit of the noise that some people have been making about the lack of 3rd party development for the iPhone. Along with this new version of safari, Apple announced today that the way to get your app onto the iPhone is through web applications, and safari is what the iPhone is going to be running. And I guess they decided to release Safari for windows now, just to show that they're serious about letting devs work on iPhone Apps.

    Apple most likely wants as much free press about the iPhone as is possible as it gets closer to its release date, so why not get the dev community a little more excited. It sucks that this safari beta isn't quite ready, but safari is pretty well respected on the mac, so I have faith that it'll quickly improve on Windows.
  • by thebrieze (1102809) on Tuesday June 12, 2007 @12:26AM (#19474257)

    Google.com takes 45 seconds to load. CNN.com, several minutes for just the text to load (haven't seen any images yet), I have yet to see the safari home page fully load. It has now been about 8 minutes since i started the browser and the home page is still loading and has a blank screen. OK CNN just finished loading 12 minutes later. Slashdot, about 2 minutes for just the text, and about 5 minutes for the whole page. (And yes, i've tried restarting/rebooting several times)
    This is all on a 7 mbit cable connection, using Firefox, CNN.com, or mostly any other page for that matter, takes about 3 seconds or less to fully load, including all the flash animated ads. So figuring there must be something wrong with my PC, I install safari on my laptop. Nope! Same results. I upgrade ITunes, thinking there might be some strange dependency on the latest version of quicktime, but no difference. I disable my (software) firewall, and antivirus.. and again nothing.. still watching the grass grow faster than the page loads... Anyone else experience this?
  • by dfiguero (324827) on Tuesday June 12, 2007 @12:48AM (#19474385)
    What is it with the "Apple fanboi" phrase appearing on every Apple article. I don't use Macs at all and I'll probably won't use Safari as I'm pretty happy with FF and I don't see a reason to switch ATM.

    However, I'll agree that the attitude this researcher has is terrible. For starters how do we know he actually discovered all these vulnerabilities? I could claim I discovered some too and I won't disclose them. Secondly, why wouldn't he share the information with Apple, why bother discovering all these vulnerabilities in the first place? It's not like he's a black hat (AFAIK) so the only other reason I see is the attention you get from such comments.

    Besides I'm sure some people will gladly help Apple test their _beta_ browser. I'm all for more competition on the browser space, put some pressure on all players so they produce better stuff.
  • by sitharus (451656) on Tuesday June 12, 2007 @01:11AM (#19474483) Homepage
    It's not present on Mac Safari, though the demo page does crash the Safari 3 Beta.

    The main thing is how the URL handling works, under Windows Safari passes the URL to the Windows URL handler, which just finds the application and then dumps the rest on the command line, which gives many remote execution issues. Under MacOS the MacOS URL handler finds the application, and then dispatches an OpenURL AppleEvent (I think, similar to that anyway) towards the application, which then has the responsibility of parsing and loading the URL.

    I'm guessing that the engineers didn't look too hard at how the OS deals with URLs and just assumed it would be safe.
  • From here @ WWDC... (Score:5, Interesting)

    by catdevnull (531283) on Tuesday June 12, 2007 @01:16AM (#19474505)
    From what I can tell, Apple is jumping on the consumer bandwagon (or trying to)--it seems they're trying to increase the Webkit install base to raise the "awareness" factor for iPhone's web engine. From the sessions I went to today, it seems Apple is really pushing for Web 2.0 development. I was surprised by this--for a developer conference specifically for Apple's OS, there was this weird, eerie spell cast by the presenters for pushing web apps.

    The vibe amongst the attendees is a weird mix of disbelief and bewilderment. Safari for Windows was not the big deal Steve was hoping it would be. In fact, most of the conversations I've overheard are pretty critical of this direction.

    I don't think Apple is serious about competing for market share against FF or IE on Windows. I think they're offering the development platform based on Webkit so that web developers can make sure their code looks OK on the iPhone. Webkit-iness seems to be the only development platform for iPhone Apps.

    Or, maybe Steve is starting to drink his own Kool-Aid.
  • Offtopic:

    I, like a lot of other web developers out there, wanted Safari for the purpose of adapting web pages to Yet Another Popular Browser's bugs.

    So, what did I find when I downloaded Safari? The ridiculously useful debug menu was gone!

    Now, all the docs on how to enable it are for Safari on the Mac, understandbly. What to do?

    Kill Safari

    Open C:\documents and Settings\[You]\Application Data\Apple Computer\Safari\Preferences.plist

    Add, in what appears to be the logical place: IncludeDebugMenu1

    Load Safari. Now developer-useful things like the Javascript Console are available to you.
  • by LO0G (606364) on Tuesday June 12, 2007 @01:56AM (#19474731)
    The problems that were found were found by fuzzing HTML output. That's not platform specific.

    And similarly, the canonicalization failure handling iframes is not platform specific. Apple knew about the potential for exploitation of that particular vulnerability, they mitigated it for basic links, but didn't when the link was in an iframe. So again it's not platform specific.

    nuf said.

  • by ernest.cunningham (972490) on Tuesday June 12, 2007 @03:19AM (#19475049) Homepage
    I have tried the browser in Windows XP Professional SP2 and all works perfectly fine for me. The browser is quick and responsive.

    Now it may be a beta, but the browser seams VERY buggy, too buggy to be a beta (according to other peoples testimonies, not my own experiences). I think apple has missed out on a great opportunity to gain market share here becuase there will be many people who have tried the browser, had major issues, and now will never go back. Yes I know it is a beta! (preempting the hoards).

    I also think that the product was rushed to market, and that apple would never have released the browser in this condition had it not been for WWDC 07. I think they just could not get it to the point they would have wanted in time. And I agree with those above who have said the browser exists mainly for testing iPhone Apps in. Time will tell if they made the right decision here.

    I would sugegst to anybody out there to wait a couple revisions before really trialling this application unless you are going to use it to connect to trusted websites you already know, or looking to develop for the iPhone.

    Now where is my developer copy of Leopard. We non attending Apple Developer Select Members always get made to wait a couple months :(
  • by DrXym (126579) on Tuesday June 12, 2007 @04:10AM (#19475211)
    Every single dialog box and effect is Aqua style. Even though both OS X and Windows XP / Vista have theme engines meaning there should be absolutely no reason at all for doing this. The engines allow apps to render their controls in the native style irrespective of how they are implemented. It's why Firefox in its default skin looks like a Windows app on Windows, like a Mac app on a Mac and so on - because rendering is handed off to the theme engine. Same happens for Java too. But not Safari it seems.
  • by eturro (804858) on Tuesday June 12, 2007 @05:21AM (#19475483)
    Thor Larholm's vulnerability example crashes Safari 3 on Mac OS X too.
  • by DrXym (126579) on Tuesday June 12, 2007 @08:23AM (#19476283)
    Also, I can't tell, but it seems like your message is implying that you believe Safari uses XUL or some other Mozilla based skin settings. It doesn't. Safari = Konqueror's KHTML engine wrapped in WebKit frameworks + Stuff that makes it look like a Mac app. There's no Mozilla anything involved. (Or maybe I'm misreading you?)

    I meant that the Mac has a theme engine and Windows has a theme engine. Both have a bunch of APIs that you can call easily from any app to render a button, scrollbar, checkbox etc. in the platform style. This is exactly how Firefox and Java manage to render themselves with a native look and feel even though they don't use native widgets. In porting Safari to Windows Apple have also ported the theme engine from OS X meaning the app doesn't look or behave like any other Windows app. There appears to be absolutely no valid reason to do that when Windows has a theme engine of its own. Cocoa could invoke calls on that to render widgets but it doesn't. It makes Safari look atrocious and completely non standard when running in Windows. I'm hoping they will fix this because I don't see any reason at all to use Safari when it can't even be bothered with basic consistency.

    Microsoft would be killed if they pulled the same stunt, releasing an IE port with Aeroglass theme for Linux or OS X, and rightly so. MS actually did release an IE 4 for Unix and it was abysmal, running through some Win32 thunk. I don't see why Apple should have a free pass. If anything they should know better.

  • by LKM (227954) on Tuesday June 12, 2007 @09:00AM (#19476585) Homepage

    I'll bite. Maynor described vulnerabilites. Maynor immeadately goes public with Mac vulnerabilites because he (in the past anyway) has claimed that Apple has ignored private disclosures. I've has exactly the same experience (many years ago) so I can support him on this point

    Looking at changelists for bugfix releases of Mac OS X, Apple regularly fixes non-public vulnerabilities and credits the people who found them. They do downplay these issues, and some managers from Apple have publicly lied about vulnerabilities in the past, but they do fix them pretty quickly and give proper credit.

    For all we know, Maynors own account of his issues with Apple bear little resemblance to what really happened.

  • by SEMW (967629) on Tuesday June 12, 2007 @03:28PM (#19481449)

    You mean that black letters on white backgroung actually appear as black letters on white backgroud sucks? You really prefer Windows' black-letters-appear-in-rainbow-colors technology?
    You're an idiot. All colours on a computer screen are built up by different combinations of primary colours: red, green, and blue. See http://en.wikipedia.org/wiki/Additive_color [wikipedia.org]. 'White' is just all three primary colours turned on full; 'Black' is all three turned off. Normally, letters on a computer screen are created by switch individual whole pixels on and off. The difference with subpixel font rendering [wikipedia.org] is the manipulation of the individual 'subpixels' (the red, green, and blue elements that make up a pixel) to effectively triple the horizontal resolution on an LCD screen. So if you have an LCD whose subpixels are ordered RGB, the example text in the link you post will not look coloured, but will look significantly smoother than the not-subpixel-rendered text. If you have an LCD with BGR ordering, or a CRT, you will see 'color fringing'; a good font rendering implementation will automatically switch off subpixel rendering for CRTs. See the Wikipedia article [wikipedia.org] for more details.

    Also, I would note that Quartz (which renders fonts on modern Macs) also use subpixel font rendering; MS merely did it first.

    The differences in font rendering between Windows and Mac are due to other reasons, which I explain here [slashdot.org]

No user-servicable parts inside. Refer to qualified service personnel.

Working...