Apple Safari On Windows Broken On First Day 595
An anonymous reader writes "David Maynor, infamous for the Apple Wi-Fi hack, has discovered bugs in the Windows version of Safari mere hours after it was released. He notes in the blog that his company does not report vulnerabilities to Apple. His claimed catch for 'an afternoon of idle futzing': 4 DoS bugs and 2 remote execution vulnerabilities." Separately, within 2 hours Thor Larholm found a URL protocol handler command injection vulnerability that allows remote command execution.
Uhhh...its beta? (Score:2, Informative)
Wow (Score:5, Informative)
Who would've thought it!
Incidentally, it doesn't seem to like authenticating proxies at all, so my first experience with it was a bug too
However, making a big deal of, but not reporting bugs found in a beta release of something seems more than a little silly.
Fuzzing, not futzing. Proofread much? (Score:3, Informative)
Re:Installing Safari 3 public beta on G4? (Score:2, Informative)
Alpha or Beta? (Score:5, Informative)
The installation was smooth without any unexpected bumps on the road. First when I loaded the program, I noticed that no menu fonts nor any fonts whatsoever on the web pages existed. To make it worse, the browser would crash every time I clicked on anything with interactivity, such as the stop button. I have read quite a few solutions to this problem but so far no success. I run Win XP SP2, btw.
Anyway, there are more problems around the corner. According to the Apple forum, people can't play Windows Media files, dual monitor support is very buggy, some buttons screw up the GUI when pressed down and dragged, loads of spontaneous lockups, random letters appearing everywhere, installation problems, parental control issues and more. [apple.com]
Also, I am not a big fan of customized GUI:s for crucial applications like a web browser. We should be able to use Windows ClearType instead of the ported OSX version (which sucks), and most importantly, we should be able to use the standard Windows themes. I don't get why Apple thinks the average Windows user would want a significantly altered browser that looks nothing like the rest of the operating system he or she is using. How would Mac users react if Internet Explorer was ported with the Windows theme?
I think it looks like a promising project, but I am worried because it's not in Apple's nature to release beta software with so many bugs and so little heart put into it.
Safari or Windows vuls? (Score:5, Informative)
IIRC, Firefox had that "URL protocol handler command injection" vulnerability (or something around those lines, correct me if I'm wrong) a few years ago and FF developers said it was the way Windows handles protocols. In the end, they had to change the way URLs are handled inside FF to prevent Windows from catching it.
Proxy Feature broken (Score:2, Informative)
Re:He notes in the blog that his company does not (Score:3, Informative)
Yeah, the only problem is that he is the only security researcher on Earth who has ever even claimed to be told this by Apple, and he has provided no evidence whatsoever of this supposed threat. Somehow everyone else who notifies apple of vulnerabilities and even demonstrates them later has managed to not get sued or taken out by thugs in a back alley.
Basically he has posited a grand conspiracy with nothing but his own word that it exists. Nobody else who deals with the same people at the same company in the same manner has any idea WTF this guy is talking about.
Re:Maybe that's because... (Score:4, Informative)
Besides, from the screenshot of the crash reporter, it's a null pointer dereference (not a heap overflow) - so sure, it's a remotely exploitable denial of service attack, but the browser crashes because the software has detected a problem and decides that the safest way out is to dump core. Let's all go tell the world how broken Safari 3 for MS Windows is!
For example: http://www.trendmicro.com/vinfo/secadvisories/def
Have fun.
Re:You're dodging (Score:2, Informative)
Perhaps you, yourself, should have looked up the definition, ye lazy & bilesome rapscallion!
Re:shooting the messenger is now + 5 insightful? (Score:5, Informative)
Re:Alpha or Beta? (Score:1, Informative)
You mean that black letters on white backgroung actually appear as black letters on white backgroud sucks? You really prefer Windows' black-letters-appear-in-rainbow-colors technology? (http://upload.wikimedia.org/wikipedia/de/d/d4/Cl
I tried Safari for Windows only for a very short time at a fried's house so I didn't experience any crashes, but at least the font rendering was way better than the ClearType stuff in IE.
Proverbial code corruption (Score:3, Informative)
Pride goeth before destruction, and an haughty spirit before a fall. Proverbs 16:18 [gutenberg.org]
Re:So many keep saying "but it's a BETA" (Score:5, Informative)
It doesn't help that the definition of beta has become muddles over the years.
When I learned the stages of software development, it went something like this:
alpha - Code that doesn't compile or runs incorrectly. Alpha testing is literally checking to see if the code compiles and runs as expected, done by the developers themselves.
beta - The code works now, but there may still be major bugs. A small group of internal testers try it and report any bugs they find. This is now called "closed beta" by MMO developers or "alpha" by the Mozilla team.
gamma - The code works and most major bugs are fixed. The code is released to a large group of testers to find any remaining issues. This is now called "open beta" by MMO developers and "beta" by everyone else.
delta - The finished product. Only maintenance releases are done at this point. New features and major bugfixes are done on the next release. This is called "beta" by Google.
So... it sounds like Apple really does have a beta in the old meaning here, but released it to a large group of people.
Re:He notes in the blog that his company does not (Score:2, Informative)
2. Officially released software has bugs in it, unless you just run the base NetBSD system with only port 22 open, which is reasonably useless.
3. What is the difference between publicizing a bug and telling the developers what it is, and publicizing a bug and not telling the developers anything? There's a higher likelihood of the bug getting fixed if the devs are notified, and you still get traffic to your stupid blog. If you give a shit about software security and not just ad revenue, maybe you ought to report the bug.
4. THIS IS A BETA TEST VERSION OF A WEB BROWSER.
Re:He notes in the blog that his company does not (Score:1, Informative)
No, he was not. (Score:3, Informative)
Geez, if you really believe that whole Ou-invented idea that Apple somehow "orchestrated" a smear campaign against Maynor and got Dalrymple and Chartier to play along with them, you should stop reading zdnet and start reading a real news outlet. It's one of the most inane tech conspiracy theories I've ever heard.
Re:Thank you software ENGINEERS at apple (Score:2, Informative)
*Every* time????
You might like to have a look at London's millenium bridge [wikipedia.org] ( designed by one of the biggest Civil/Structural engineering firms in the world ) or Ronan point [wikipedia.org] (to name just two of the famous ones) and reconsider that statement a little.
Re:Maybe that's because... (Score:3, Informative)
The standard everywhere I've worked has been:
That sounds right for a beta to me. All of the things you list are in the category of bugs, not missing features that are supposed to be in. Beta code is not yet fully tested and has not been pounded on by users. It will almost always have these type of bugs.
Re:shooting the messenger is now + 5 insightful? (Score:3, Informative)