Apple Safari On Windows Broken On First Day 595
An anonymous reader writes "David Maynor, infamous for the Apple Wi-Fi hack, has discovered bugs in the Windows version of Safari mere hours after it was released. He notes in the blog that his company does not report vulnerabilities to Apple. His claimed catch for 'an afternoon of idle futzing': 4 DoS bugs and 2 remote execution vulnerabilities." Separately, within 2 hours Thor Larholm found a URL protocol handler command injection vulnerability that allows remote command execution.
Re:it's beta (Score:3, Interesting)
From wikipedia -> http://en.wikipedia.org/wiki/Software_release_cycl e#Beta [wikipedia.org] , this is a prototype / preview / early access.
Report the bugs and they will probably get fixed.
I'm amazed that things like this get to the story line on /. .
Re:Maybe that's because... (Score:3, Interesting)
IMO... If you release it quietly, so only the diehards are really pounding it, you can keep the "it's a beta" excuse. If you hype the release, you lose the excuse.
- Greg
Re:He notes in the blog that his company does not (Score:3, Interesting)
Ah yes, giving away FREE software and expecting people to use it for FREE. In turn for that FREE use, if someone finds a bug it's absolutely ludicrous to expect them to report it.
Now mind you I understand why they may be giving it out for FREE, probably so people can FREEly develop for the iPhone, widgets and browser.
Maybe they should have created an IDE that wasn't FREE so you can pay for the tools to develop on their FREE platform, and use that money to pay for the QA department, so I can be FREE of you haters and your whining.
Another hackable part of Safari/Windows (Score:3, Interesting)
Therefore it's possible to use the OSX CoreFoundation and CoreGraphics headers to link to the Windows DLLs natively and create native Windows "psuedo-OSX" apps.
I believe CoreFoundation.dll has been around with WebObjects for Windows NT for a while, but I think CoreGraphics.dll is a new Apple "release" (I remember some anger over Apple not porting CoreGraphics when WebObjects/NT first came out).
I've documented some of what I've poked around today (just a screenshot and simple description for the moment) at http://pages.brianledbetter.com/ [brianledbetter.com]
Re:Alpha or Beta? (Score:3, Interesting)
Apple most likely wants as much free press about the iPhone as is possible as it gets closer to its release date, so why not get the dev community a little more excited. It sucks that this safari beta isn't quite ready, but safari is pretty well respected on the mac, so I have faith that it'll quickly improve on Windows.
Still waiting for the page to load... (Score:2, Interesting)
Google.com takes 45 seconds to load. CNN.com, several minutes for just the text to load (haven't seen any images yet), I have yet to see the safari home page fully load. It has now been about 8 minutes since i started the browser and the home page is still loading and has a blank screen. OK CNN just finished loading 12 minutes later. Slashdot, about 2 minutes for just the text, and about 5 minutes for the whole page. (And yes, i've tried restarting/rebooting several times)
This is all on a 7 mbit cable connection, using Firefox, CNN.com, or mostly any other page for that matter, takes about 3 seconds or less to fully load, including all the flash animated ads. So figuring there must be something wrong with my PC, I install safari on my laptop. Nope! Same results. I upgrade ITunes, thinking there might be some strange dependency on the latest version of quicktime, but no difference. I disable my (software) firewall, and antivirus.. and again nothing.. still watching the grass grow faster than the page loads... Anyone else experience this?
Re:He notes in the blog that his company does not (Score:3, Interesting)
However, I'll agree that the attitude this researcher has is terrible. For starters how do we know he actually discovered all these vulnerabilities? I could claim I discovered some too and I won't disclose them. Secondly, why wouldn't he share the information with Apple, why bother discovering all these vulnerabilities in the first place? It's not like he's a black hat (AFAIK) so the only other reason I see is the attention you get from such comments.
Besides I'm sure some people will gladly help Apple test their _beta_ browser. I'm all for more competition on the browser space, put some pressure on all players so they produce better stuff.
Re:shooting the messenger is now + 5 insightful? (Score:5, Interesting)
The main thing is how the URL handling works, under Windows Safari passes the URL to the Windows URL handler, which just finds the application and then dumps the rest on the command line, which gives many remote execution issues. Under MacOS the MacOS URL handler finds the application, and then dispatches an OpenURL AppleEvent (I think, similar to that anyway) towards the application, which then has the responsibility of parsing and loading the URL.
I'm guessing that the engineers didn't look too hard at how the OS deals with URLs and just assumed it would be safe.
From here @ WWDC... (Score:5, Interesting)
The vibe amongst the attendees is a weird mix of disbelief and bewilderment. Safari for Windows was not the big deal Steve was hoping it would be. In fact, most of the conversations I've overheard are pretty critical of this direction.
I don't think Apple is serious about competing for market share against FF or IE on Windows. I think they're offering the development platform based on Webkit so that web developers can make sure their code looks OK on the iPhone. Webkit-iness seems to be the only development platform for iPhone Apps.
Or, maybe Steve is starting to drink his own Kool-Aid.
Re:shooting the messenger is now + 5 insightful? (Score:5, Interesting)
I, like a lot of other web developers out there, wanted Safari for the purpose of adapting web pages to Yet Another Popular Browser's bugs.
So, what did I find when I downloaded Safari? The ridiculously useful debug menu was gone!
Now, all the docs on how to enable it are for Safari on the Mac, understandbly. What to do?
Kill Safari
Open C:\documents and Settings\[You]\Application Data\Apple Computer\Safari\Preferences.plist
Add, in what appears to be the logical place: IncludeDebugMenu1
Load Safari. Now developer-useful things like the Javascript Console are available to you.
Re:Maybe that's because... (Score:3, Interesting)
And similarly, the canonicalization failure handling iframes is not platform specific. Apple knew about the potential for exploitation of that particular vulnerability, they mitigated it for basic links, but didn't when the link was in an iframe. So again it's not platform specific.
nuf said.
Yes I know its a beta! Why was it really released (Score:2, Interesting)
Now it may be a beta, but the browser seams VERY buggy, too buggy to be a beta (according to other peoples testimonies, not my own experiences). I think apple has missed out on a great opportunity to gain market share here becuase there will be many people who have tried the browser, had major issues, and now will never go back. Yes I know it is a beta! (preempting the hoards).
I also think that the product was rushed to market, and that apple would never have released the browser in this condition had it not been for WWDC 07. I think they just could not get it to the point they would have wanted in time. And I agree with those above who have said the browser exists mainly for testing iPhone Apps in. Time will tell if they made the right decision here.
I would sugegst to anybody out there to wait a couple revisions before really trialling this application unless you are going to use it to connect to trusted websites you already know, or looking to develop for the iPhone.
Now where is my developer copy of Leopard. We non attending Apple Developer Select Members always get made to wait a couple months
The entire UI is broken (Score:5, Interesting)
Crashes Safari 3 on Mac OS X too (Score:5, Interesting)
Re:The entire UI is broken (Score:3, Interesting)
I meant that the Mac has a theme engine and Windows has a theme engine. Both have a bunch of APIs that you can call easily from any app to render a button, scrollbar, checkbox etc. in the platform style. This is exactly how Firefox and Java manage to render themselves with a native look and feel even though they don't use native widgets. In porting Safari to Windows Apple have also ported the theme engine from OS X meaning the app doesn't look or behave like any other Windows app. There appears to be absolutely no valid reason to do that when Windows has a theme engine of its own. Cocoa could invoke calls on that to render widgets but it doesn't. It makes Safari look atrocious and completely non standard when running in Windows. I'm hoping they will fix this because I don't see any reason at all to use Safari when it can't even be bothered with basic consistency.
Microsoft would be killed if they pulled the same stunt, releasing an IE port with Aeroglass theme for Linux or OS X, and rightly so. MS actually did release an IE 4 for Unix and it was abysmal, running through some Win32 thunk. I don't see why Apple should have a free pass. If anything they should know better.
Re:He notes in the blog that his company does not (Score:4, Interesting)
Looking at changelists for bugfix releases of Mac OS X, Apple regularly fixes non-public vulnerabilities and credits the people who found them. They do downplay these issues, and some managers from Apple have publicly lied about vulnerabilities in the past, but they do fix them pretty quickly and give proper credit.
For all we know, Maynors own account of his issues with Apple bear little resemblance to what really happened.
How did this get modded informative? (Score:3, Interesting)
Also, I would note that Quartz (which renders fonts on modern Macs) also use subpixel font rendering; MS merely did it first.
The differences in font rendering between Windows and Mac are due to other reasons, which I explain here [slashdot.org]