Danger Lurks Around the Corner with Apples Safari

By Larry Seltzer  |  Posted 2007-06-14 Print this article Print

Opinion: Apple leaves plentiful low-hanging fruit for researchers. Will the iTunes "halo effect" lead many a Windows PC into the afterlife?

Why will you love Safari for Windows? One reason, according to the Safari Web site, is that "Apple engineers designed Safari to be secure from day one." I guess were at Day 0 now, because no program in my experience has had a more brutal first few hours on the Internet than Safari for Windows. It was immediately savaged by researchers who spoke of the ease with which they found problems of all types: denial of service, remote code execution, cross-site scripting and cookie stealing. And there hasnt even been enough time for any sophisticated fuzz testing. Apple actually fixed most of those problems late at night on June 13, but you definitely get the impression from Safaris Day 0 and from Apples history with security in the last few years that the fouling of Safaris reputation is far from over. It would be easy to dismiss the big-picture significance of it all, but Apple seems determined to make this a real problem. My concerns come from Steve Jobs statements that Apple might use the Windows iTunes software in order to distribute Safari. This the company seems to see as partly a brute force method of making users take the software and partly a "halo effect," in which the momentum of the iPod and iTunes creates momentum for Safari. (In fact, the Wikipedia page for "halo effect" uses the iPod as an example.)
In practical terms, what I expect is that when you download and install iTunes, youll get Safari too. This is already the case with QuickTime; I dont have an iPod but most times I install QuickTime on a system I end up with iTunes also, even though I really try to get the non-iTunes version. Apple makes it difficult. So its not hard to see iTunes downloads coming with Safari. Perhaps there will be a non-Safari version, but it wont be easy to find. Apples not the only company to pull this stuff.
Its also not hard to imagine links in the iTunes program launching Safari, regardless of what the default browser on the system is. Apples not the only company to pull stuff like that, either. Youd think Apple was swimming against the flow, entering a rough market like this. I must say Im impressed at how Apple got all of the really key plug-ins ready for Windows for the beta release. I was especially surprised by the link for the Windows Media Player plug-in, http://port25.technet.com/videos/downloads/wmpfirefoxplugin.exe—I didnt expect that Safari would use Firefox plug-ins, but it appears to. I tested the Microsoft WMP Firefox plug-in in Safari and it loaded, although I couldnt get any content to play. Click here to read eWEEK Labs review of the Apple Safari beta. So whats all the fuss, youre asking: This is a beta, right? Well, that explanation doesnt have the currency it used to. How long has Googles Gmail been a beta? Ever since Netscape created the notion of releasing products with essentially no testing at all, and then talking out of both sides of its mouth about whether such products were ready for use by the public, people have lowered their expectations of software, particularly of Internet-specific software like browsers. If Apples going to call Safari the "worlds best browser," then it has to be at least as ready to use as the released ones. The end-user license agreement includes all the appropriate warnings, of course, but nobody takes those seriously, especially when they say things like "BEFORE INSTALLING THIS APPLE SOFTWARE, YOU SHOULD BACK UP ALL OF YOUR DATA AND REGULARLY BACK UP DATA WHILE USING THIS APPLE SOFTWARE." Of course, its not the beta period Im worried about. Its the creation of a major new attack surface against Windows users. Apples reputation among security researchers is far from stellar. The company has fixed scores of critical vulnerabilities in OS X over the last couple of years and has avoided real-world problems mostly through the low profile of the system in the market. But the population of iTunes users on Windows is a very large one and worth attacking. Its easy, for example, to envision malware disguised as iTunes coupons; actually, theres probably already a lot of that, but targeting Safari with it could make it more effective. So heres hoping that Apple does a better job with Safari on Windows than its done with its other products, and fixes all security problems as quickly as it fixed yesterdays. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larryseltzer@ziffdavis.com. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel