Feeds

Security researchers poke holes in Safari

Hot Fuzz

Top 5 reasons to deploy VMware with Tegile

Security hunters have discovered numerous bugs in a Windows version of Safari, hours after Apple released a beta version of the browser into the wild.

Both Windows and Mac OS X versions of Safari 3 were released at a developer conference in San Francisco on Monday as part of Apple's plans to grow its market share from 4.9 per cent. Apple chief exec Steve Jobs described Safari as "the fastest browser on Windows", claiming that it runs twice as fast as IE.

Pay back

Apple has adopted an antagonistic relationship with security researchers, particularly over recent months, so it's perhaps no surprise that white-hat hackers have been working overtime to unearth bugs in the firm's browser software.

Claims on the Safari download page that "Apple engineers designed Safari to be secure from day one" further motivated hackers to attempt to pee on Apple's parade - efforts that have not been in vain.

David Maynor, who's best known for discovering an infamous Wi-Fi hack of Apple machines running third-party drivers, has already discovered four denial of service (ie crashing) and two remote code execution bugs with the software. "Not bad for an afternoon of idle fuzzing," Maynor writes. "One of the bugs found in the beta copy of Safari on Windows works on the production copy of OSX as well," he adds.

Maynor and Apple are not on speaking terms in the aftermath of an unsavoury row that erupted after Maynor's presentation of Wi-Fi hacks at last year's Black Hat briefings. Apple is accused of helping to spread disinformation about Maynor and Jon "Johnny Cache" Ellch's methodology in a bid to discredit their research.

And there's more

Separately, security researcher Thor Larholm has uncovered a URL protocol handler command injection vulnerability that creates a means to inject hostile code onto Windows systems running beta versions of the browser software. "I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a website," Larholm writes.

Another security researcher, Aviv Raff, discovered another potentially exploitable memory corruption bug after pounding Safari with fuzzing tools.

As previously reported, users of the beta software on localised versions of Windows are also having problems. Safari is apt to crash for these users when loading bookmarks, for example. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.