Forgot your password?
typodupeerror
Security Businesses The Internet Apple

Safari 3.1 For Windows Violates Its Own EULA, Vulnerable To Hacks 368

Posted by Zonk
from the you-have-chosen-poorly dept.
recoiledsnake writes "The new Safari 3.1 for Windows has been hit with two 'highly critical'(as rated by Secunia) vulnerabilities that can result in execution of arbitrary code. The first is due to an improper handling of the buffer for long filenames of files being downloaded, and the second can result in successful spoofing of websites and phishing. This comes close on the heels of criticism of Apple for offering Safari as a update for approximately 500 million users of iTunes on Windows by default, and reports of crashes. There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites." Further, Wormfan writes "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs." Update: 03/27 17:23 GMT by Z : Dave Schroeder writes with the note that the license has been updated to correct this mistake.
This discussion has been archived. No new comments can be posted.

Safari 3.1 For Windows Violates Its Own EULA, Vulnerable To Hacks

Comments Filter:
  • by muffen (321442) on Thursday March 27, 2008 @08:52AM (#22880488)
    • by Divebus (860563) on Thursday March 27, 2008 @08:53AM (#22880502)

      "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs."
      Damn! Now, where did I put those Apple stickers?
      • You laugh, but a coworker of mine took one of those Apple stickers and stuck it over the logo on the back of his company-provided Dell. There was always a moment of confusion when you saw his Dell, because it looked like a PC, but the Apple logo appeared to be built-in.

        He eventually moved on, but the person who inherited the laptop still has that sticker on there! :P
        • by swb (14022) on Thursday March 27, 2008 @10:26AM (#22881540)
          When the very first Blue & White PowerMacs came out, the print studio at the ad agency I worked for was totally pumped for their machines -- they had been sucking it up using beige G3s and even older PPC Macs.

          Since my job was prepping the machines for install in the studio, I decided to pimp the studio people by putting an "Intel Inside" logo over the Apple logo; of course the machine was for the Mac zealot in the group who was super pissed that the logo was there and that he couldn't figure out how to remove it.

          I caught hell for doing it, primarily because it took major surgery and a ton of time to put the stupid thing in there and I didn't get some other tasks accomplished.
          • by erc (38443) <erc&pobox,com> on Thursday March 27, 2008 @10:44AM (#22881748) Homepage
            I used to work for Sun back in the early 90's, when Linux was first getting off the ground. We had finally gotten X to run under Linux, and so I figured I'd see what it would do on a 386SX/25 laptop with 16MB of RAM. It was pretty slow, but as long as I wasn't doing anything it was fine. When the screensaver kicked in, I saw the traditional Sun logo, and that gave me an idea for a prank.

            I went down to engineering and got one of the old metal Sun logos, the ones that used to be on the front of Sun-2 boxes, and put it over the logo of the laptop, fired it up in my office, and waited for the first victim to wander by. A while later, one of the senior software developers walked into my office to ask me something, and spied the laptop with the Sun logo and the screensaver running with the Sun logo on it. "How'd you get a Sparc laptop? I didn't think they were in production yet!" I have lots of friends ... [chuckle]...

            It didn't take long for the prank to be found out, but it sure was fun for a while... :)

            Reminds me of the time that I got Wine running under A/UX (Apple's version of UNIX, SVR4 flavor) - I was working for Apple at the time, and it was fun to see people's faces when they'd come by and see the Windows logo on the screen on what was obviously a Mac, but that's a story for another time. Sure was a fair bit of work, but it worth the prank value... :)
            • Re: (Score:3, Funny)

              by Kjella (173770)

              I used to work for Sun back in the early 90's,
              Reading the rest of your post, I'd say you were employed by Sun back in the early 90's.
      • Found 'em (Score:3, Funny)

        by GameboyRMH (1153867)
        They're all over the place:

        - Stuck to the back glass of pickups
        - Stuck to the back glass of poorly maintained econo-cars
        - Stuck to teenage girls' bedroom/dorm doors
        - Stuck to teenage girls' binders and backpacks

        Good luck getting them back...
  • Acidity (Score:5, Funny)

    by n3tcat (664243) on Thursday March 27, 2008 @08:53AM (#22880498) Homepage
    So Acid 4 will include security tests too now, right?
  • by Miros (734652) * on Thursday March 27, 2008 @08:55AM (#22880520)
    Sometimes it's just really not a good idea to push a piece of software out to hundreds of millions of people on its first release just because they use/update your other products. This is the real way that it could come back and bite them, and it certainly seems to have.
  • I wonder... (Score:5, Funny)

    by Fenice (1156725) on Thursday March 27, 2008 @08:55AM (#22880530)
    ...if Apple can sue itself for proposing illegal installs of safari on windows?
  • by downix (84795) on Thursday March 27, 2008 @08:56AM (#22880532) Homepage
    EULA's have gotten to the point that they conflict with themselves. One can then assume that Safari is intended for the Windows install on Mac machines, *or* on machines to which someone has applied an Apple brand sticker.

    I am waiting for the EULA that requires all users to declare the programmer their god and send off their first born child to him in sacrifice.
  • by Idaho (12907) on Thursday March 27, 2008 @08:57AM (#22880540)
    Can someone please explain to me how software could possible "violate its own EULA" (even theoretically, not necessarily restricted to this case)?

    I agree that the EULA makes no sense, assuming that Apple wants as many Windows users as possible to use Safari. But that's an entirely different matter.

    In fact, the EULA can be adhered to without any problem: afterall, you can install Windows just fine on Mac hardware these days. So you can actually run Safari for Windows on "Apple labeled hardware".

    I seriously doubt the way it is stated in the EULA is really Apples intention though ;)
    • by hassanchop (1261914) on Thursday March 27, 2008 @09:02AM (#22880576)

      "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs."


      I got Safari as part of the iTunes update. I have a non-Apple Windows machine, running Safari. They basically forced the software on me, and the EULA says I can't use it.

      Does that answer your question?
      • by IBBoard (1128019)
        Was there a way to read the license agreement before installing the update? If there was then surely Apple are in the 'clear', as you can run Windows on an Apple and so it's not their fault that you installed something that you shouldn't technically have done.

        How are they to know the difference between Windows on a Mac and Windows on any other PC to determine whether to disable the 'bonus feature' or not?
        • Re: (Score:2, Interesting)

          When the updater pops up, at the very bottom of the window is a link to:
          http://www.apple.com/legal/sla/ [apple.com]

          At which point you as the user have to pick through a list of different licenses to get to what you may want.
        • by Hatta (162192)
          You really don't think they have a way to identify the hardware they manufactured?
          • by IBBoard (1128019)
            Potentially, but it'll be hellish invasive and a number of intrusion tools might pick it up. Most software just checks Windows version. Linux makes access to architecture and a couple of other bits easy. They could find that it's a dual-core Pentium, and that someone has set the vendor to "Apple", but does that mean it's an Apple?

            The only other way is that the updater maintains a list of what hardware configs Apple has, and then they'll need to keep updating that list and potentially get in to the situation
        • Re: (Score:3, Informative)

          by weicco (645927)

          How are they to know the difference between Windows on a Mac and Windows on any other PC to determine whether to disable the 'bonus feature' or not?

          Quite easily. Ask WMI. It knows a lot of stuff going on and under your Windows setup.

    • by SpeedyDX (1014595) <speedyphoenix@gmaiELIOTl.com minus poet> on Thursday March 27, 2008 @09:05AM (#22880600)
      Good points, though I think it can be explained in a much easier manner.

      As someone who regularly uses the functions "copy" and "paste", I can tell you that there are many times where I c/p a blob of text and forgot to change something crucial in it. This happens to many people. Apparently, the folks at Apple are not immune to human flaws.

      It's probably just an oversight. A HUGE oversight. But there's really no need to make a circus out of it. Then again, this is Slashdot, right?
  • Violating the EULA (Score:5, Interesting)

    by sm62704 (957197) on Thursday March 27, 2008 @09:01AM (#22880566) Journal
    How can you violate an agreement that you never agreed to? Does Microsoft have a copy of a contract with my signature on it saying I'll accept its terms of use for XP? If I had Safari would Apple have a signed contract?

    When I go to best buy I don't "license" an OS or piece of software; I pick a box up off the shelf, pay money for it and am delivered a purchase reciept. I then own the goods that I just BOUGHT. I am under no statutory obligation to read anything or sign anything. I tear open the box and do what I want with it, short of violating copyright law.

    Your EULA is fiction, and until I see one stand up in court I'm going to ignore it.

    -mcgrew
    • by ari_j (90255) on Thursday March 27, 2008 @09:06AM (#22880608)
      You are mistaking "signature" and "agreement." Signatures are not a prerequisite to a valid contract, they are merely very good evidence of agreement. You can get out of some contracts you signed and you can be held to some contracts you didn't. The lack of a signature is not the reason EULAs are of questionable enforceability.
      • by HuguesT (84078)
        In certain jurisdictions, yes a signature is requested, sometime even with extra handwritten approval (such as "I have read and I approve") otherwise the contract is not binding.
      • by sm62704 (957197)
        It doesn't matter; I DO NOT AGREE nor do I believe that I have to. I bought the damned thing and copyright law doesn't give them the right to enforce a EULA.
    • by Ngarrang (1023425)

      I then own the goods that I just BOUGHT.
      If Microsoft has their way, this won't be true for the next versions of Windows.
      • by IBBoard (1128019) on Thursday March 27, 2008 @09:24AM (#22880774) Homepage
        It's not even that. Microsoft have their way in that regard now. What you own is the media with a binary copy of the application/operating system. What you license by agreement to the EULA is the rights to then install and use that software as a running process (or processes) on compatible hardware.

        Yes, it sucks, but that's what free software is for.
        • by russotto (537200) on Thursday March 27, 2008 @10:46AM (#22881776) Journal

          It's not even that. Microsoft have their way in that regard now. What you own is the media with a binary copy of the application/operating system. What you license by agreement to the EULA is the rights to then install and use that software as a running process (or processes) on compatible hardware.


          Sorry, but 17 USC 117 says that owning the binary copy already grants me the right to install and use the software.
    • by hassanchop (1261914) on Thursday March 27, 2008 @09:09AM (#22880638)
      http://en.wikipedia.org/wiki/ProCD%2C_Inc._v._Zeidenberg [wikipedia.org]

      "ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir., 1996), is a United States contract case involving a "shrink wrap license". The issue presented to the court was whether a shrink wrap license was valid and enforceable. Judge Easterbrook wrote the opinion for the court and found such a license was valid and enforceable."

      They've been held up in court. The issue isn't totally decided, with other cases dealing with more specific issues, but your "nah nah nah MARY HAD A LITTLE LAMB nah nah nah" fingers in the ears stance may not be legally prudent.
      • by elrous0 (869638) *
        Good thing I don't live in the 7th Circuit then.
      • ...but you can ignore it if it gives you no opportunity to read the licence *before* accepting, and you can ignore it if it gives you no opportunity to refuse

        So an automatic update with no interaction is very invalid ?

        • Re: (Score:3, Interesting)

          but you can ignore it if it gives you no opportunity to read the licence *before* accepting, and you can ignore it if it gives you no opportunity to refuse

          Well, I bet that the iTunes EULA includes somewhere in it the rights to expand the scope, yada, yada.

          I imagine that there is an anti-trust suit waiting to happen, since Apple has a near-monopoly on music downloads, which requires the iTunes player, which pushes Safari... If it's good enough for MS, it's good for Apple.

    • by Kjella (173770) on Thursday March 27, 2008 @09:26AM (#22880806) Homepage

      Your EULA is fiction, and until I see one stand up in court I'm going to ignore it.
      I guess you better close your eyes and hum real loud then. I'm not saying it's universal, but to take a few examples from the wikipedia page in Brower v. Gateway "the Supreme Court of New York ruled that the terms of the shrink-wrapped license document were enforceable because the customer's assent was evident by his failure to return the merchandise within the 30 days specified by the document." And regarding click-wraps: "Click-wrap licenses have met with more support in the courts, though notable counterexamples exist. In ProCD v. Zeidenberg, the license was ruled enforceable because it was necessary for the customer to assent to the terms of the agreement by clicking on an 'I Agree' button in order to install the software."

      The whole section on enforcability starts with "The enforceability of an EULA depends on several factors, one of them being the court in which the case is heard. Some courts that have addressed the validity of the shrinkwrap license agreements have found some EULAs to be invalid, characterizing them as contracts of adhesion, unconscionable, and/or unacceptable pursuant to the U.C.C." If you read between the lines, it says "No court has rejected EULAs outright". If you're outside the US, it seems to be much the same. Yes, Germany declared the bundling with Windows to be unenforcable, but the EULA as such still remains. In short, you're talking about the way you want it to be not legal reality except possibly in Kansas where there was a ruling agreeing with you.
    • by mini me (132455)
      If you do not agree to the license, you do not have a right to use said software. If, as you claim, a signature was required for the license to be valid, you would not have the right to use any software (except, perhaps, BSD-style and artistic licensed work) without giving your signature to Microsoft, Apple, etc.
      • Re: (Score:3, Insightful)

        by Just Some Guy (3352)

        If you do not agree to the license, you do not have a right to use said software.

        Especially in the case of boxed, purchased software, I gained the right when I gave the store clerk money in exchange for that software. In fact, since up until the point that I click "I Agree" to some ignorable EULA I haven't even given the illusion of agreeing to anything, it's my right to hack out any objectionable code (such as that EULA dialog). That's because I own that copy of the software.

  • Fine by me (Score:5, Funny)

    by asc99c (938635) on Thursday March 27, 2008 @09:03AM (#22880590) Homepage
    My iPod came with a big Apple sticker which for some reason I did stick on my PC. Guess I'm OK to use Safari then.
    • Re: (Score:2, Funny)

      by AioKits (1235070)
      My iPod came with those as well. Too bad there was not enough space left on my laptop after the Mozilla folk were nice enough to give me a sheet of Mozilla stickers for purchasing a few t-shirts and a laptop tote...
  • Switch? (Score:3, Funny)

    by blankoboy (719577) on Thursday March 27, 2008 @09:12AM (#22880670)
    Sheesh, I'm on the verge of finally switching from Microsoft to Apple (just been waiting on the new rev of the Mac Mini to appear) and they go and pull the funny business of trying to slip Safari on to Windows desktops that use Itunes. On top of that there is now this report of the security flaws found in Safari. So now Apple is carelessly pushing a security risk browser onto unsuspecting client PC's. This is really underhanded and has be getting cold feet. Ubuntu perhaps....then?

    Apple, these sort of tactics really are not necessary. Don't take the low road please...you can win it by going on the high way.

    • Re:Switch? (Score:4, Insightful)

      by Shados (741919) on Thursday March 27, 2008 @09:16AM (#22880716)
      Apple has gotten where it is almost exclusively by taking the low road, with borderling false advertising and Microsoft-style tactics. They originally make an excellent product (MacOSX, Ipods, etc), get a name from it, then push it further using the low road. Its always been that way. If you're going to move away from Microsoft because of shady marketing as one of your primary reasons, stay clear from Apple. Jobs makes Balmer look like a saint in that department.
    • some comments (Score:4, Informative)

      by nguy (1207026) on Thursday March 27, 2008 @09:32AM (#22880878)
      I think you should seriously consider Ubuntu: for all those things that people usually use a Mac Mini for (music, video, photos, web browsing, text processing, Skype, etc.), it's actually probably a better choice. Ubuntu supports more audio, video, and file formats, it's easier to keep updated, and all the applications are preinstalled. Oh, and Ubuntu will talk just fine to your iPod, and unlike iTunes, will let you copy both to and from the iPod.

      (I have a Mac Mini, an iMac, and several iPods, but I now mostly use my Ubuntu systems for everything)
  • Could someone please explain to me why anyone wanting an interface that uses Kon.. er QT.. er Safari would be using Windows in the first place?
    • by IBBoard (1128019)
      I think there's two target audiences:

      1) Apple fanbois who can't afford an Apple, or don't know about Boot Camp, or don't want to keep jumping between two different OSes, or just want a browser that looks like their iTunes.

      2) Web devs who want their sites to look reasonable for any Mac visitors.

      There's probably also a small number of people who might see it and be tempted to check out a full Apple computer because of it, but given that it'll stick out like a sore thumb in Windows then I doubt it.
      • by darthflo (1095225)
        About number 2: GP was asking about people who want to use Safari. As one sample out of your second group, let me tell you we don't want or like to use Safari nor MSIE 5.5. They're the really ugly stuff that need to be worked with some times, but that's everything but pleasurable.
    • by Shados (741919)
      2 reasons.

      A) Web developers.
      B) Steve Jobs worshippers.

      B is a freagin huge group of people.
  • Profit? (Score:5, Funny)

    by crt (44106) on Thursday March 27, 2008 @09:20AM (#22880738)
    Step 1: Install Safari on millions of unsuspecting Windows PCs
    Step 2: Sue non-Mac owning PC users for violating EULA
    Step 3: ???
  • The EULA says... (Score:2, Interesting)

    by mr_lizard13 (882373)
    ...I can install one copy of Safari on an Apple-branded computer

    It doesn't say how many I can install on non Apple-branded machines...
  • The latest version of Safari for Windows makes a mockery of end user licensing agreements

    I am trying to figure out why this is a bad thing, and I'm coming up dry. Help me here.
  • Everyone knows EULAs are a joke, and this certainly isn't the only one that's impossible to comply with [honeypot.net]. Are they legally binding anywhere?

  • Hardly surprising (Score:4, Interesting)

    by elrous0 (869638) * on Thursday March 27, 2008 @09:30AM (#22880858)
    Anyone who has ever tried to REALLY uninstall one of their apps (or get Quicktime to stop running in the background or sneaking back into your registry) should not be surprised. Apple software is sneaky, aggressive, and not to be trusted.

    And the heavy-handed tactics they use to push said software is truly amazing. If MS did half of the underhanded stuff Apple does, they would be dragged back into court in a heartbeat. Why Apple continues to get a free pass on such crap is beyond me.

    I will NOT install Quicktime, iTunes, Safari or any other Apple software on my computer. And I always advise others not too as well. It's just not worth the hassle (if Apple really wanted your business, and not just to sleaze their way onto your computer, they would sell iTunes songs through their website and not require a software download).

    • Re:Hardly surprising (Score:5, Interesting)

      by Shados (741919) on Thursday March 27, 2008 @09:44AM (#22881034)
      B...b....but Apple is not a monopoly! That means they can and SHOULD do this!!! /sarcasm.

      Seriously though, Apple is allowed legaly for said reason, but I never understood why people accept it... I mean, last I checked, when Microsoft -started- doing that crap, they weren't a monopoly either...and look where it got us.

      That being said...watching a media player (iTune)conflict with a RAID (I swear Ive seen that happen) is quite amusing... Just exactly WHAT is that stupid thing doing anyway?
    • Re:Hardly surprising (Score:5, Informative)

      by Jeff DeMaagd (2015) on Thursday March 27, 2008 @10:20AM (#22881464) Homepage Journal
      I call BS. I just uninstalled iTunes and there's no background process or anything like that running, and no executable remaining. Maybe the program should have offered to remove the program preferences in your account, but there's no binary there.

      That "spyware" service you refer to is just a notifier to open iTunes when an iPod is connected. That's all it does. It's hardly malicious, and it doesn't report to Apple what you do with your computer.
  • The WebKit rendering engine has reached 100/100 [webkit.org] on Acid 3.
  • by Zelos (1050172) on Thursday March 27, 2008 @09:47AM (#22881070)
    Proof that nobody reads EULA, not even the people that write them?

    More likely, some tired programmer just copied the string resource across from another project without checking it.
  • GPL Violation? (Score:3, Interesting)

    by lky (246353) on Thursday March 27, 2008 @10:04AM (#22881254)
    IANAL but....

    The offending section seems to have an even bigger issue in it.

    It reads:
    B. Certain components of the Apple Software, and third party open source programs included with the Apple Software, have been or may be made available by Apple on its Open Source web site
    (http://www.opensource.apple.com/) (collectively the "OpenSourced Components"). You may modify or replace only these OpenSourced Components; provided that: (i) the resultant modified Apple
    Software is used, in place of the unmodified Apple Software, on a single Applelabeled computer; and (ii) you otherwise comply with the terms of this License and any applicable licensing terms
    governing use of the OpenSourced Components. Apple is not obligated to provide any updates, maintenance, warranty, technical or other support, or services for the resultant modified Apple
    Software.
    You expressly acknowledge that if failure or damage to Apple hardware results from modification of the OpenSourced Components of the Apple Software, such failure or damage is excluded from
    the terms of the Apple hardware warranty.
    ---

    Now, one of the open source components used in Safari was/is Khtml which is licensed under the GNU LGPL. Now this clause allows you to modify & use the open source components ONLY if you use them on a single system (assuming the apple-labeled part has been fixed as i've heard).

  • by pyrbrand (939860) on Thursday March 27, 2008 @11:11AM (#22882050)

    Man, they're not even trying are they? This day an age, not only is there no excuse to ship with such a basic flaw, there's really no excuse to be programming in a fashion that would allow it. It's so easy to audit for basic overflows (at least on Windows) that it's silly. Even just compiling /GS with VC++ should protect you against a lot. Seriously, people give MS a bad rap these days, but any exploit you're going to see in their software these days usually takes advantage of complex system interactions or odd exception throwing.

    Apple should take a serious look at their coding practices and consider banning the use of unsafe CRT functions and using _s versions of any C functions their using (Visual C++ has them and they're part of the next standard) or at a minimum requiring audits of all raw pointers. Static analysis tools should also be mandatory and should catch most issues.(http://www.spinroot.com/static/)

    • Seriously, people give MS a bad rap these days, but any exploit you're going to see in their software these days usually takes advantage of complex system interactions or odd exception throwing.

      That's because Microsoft's "Active Content" security model, introduced in 1997, pretty much created the 'complex system interactions' vulnerability ecosystem. Before then the whole idea that an application that displayed untrusted content would provide a path for that content to execute code with full local user priv
  • 0.5 billion users??? (Score:3, Interesting)

    by 4D6963 (933028) on Thursday March 27, 2008 @11:19AM (#22882166)
    500 million users of iTunes, really? 12% of the world population that has access to electricity, are you sure?? How many computer users are there even really out there anyways? And how the hell would you know how many single users for a program you have out there any bloody way? And why on Earth am I seemingly the only one out here this figure made cringe?
  • by Nom du Keyboard (633989) on Thursday March 27, 2008 @11:44AM (#22882490)
    I already have good enough reason to feel Apple's whole approach to update sucks!

    All I want to do is update QuickTime on my XP box. I need it because of the .mov and .qt files it won't play otherwise. QT tells me there's a new update I must install, but the ONLY WAY Apple will provide me this update with bundled with iTunes which I DON'T HAVE and DON'T WANT!

    It's never a good idea to install software you have no need for (I'm one of the remaining 27 people in the world without an iPod), don't want (the software, or the iPod), and don't know how avoid without just not updating in the first place.

    Why the hell does Apple think I need an iTunes update just to update their buggy QT?

If it's worth doing, it's worth doing for money.

Working...