It was immediately savaged by researchers who spoke of the ease with which they found problems of all types: denial of service, remote code execution, cross-site scripting and cookie stealing. And there hasnt even been enough time for any sophisticated fuzz testing. Apple actually fixed most of those problems late at night on June 13, but you definitely get the impression from Safaris Day 0 and from Apples history with security in the last few years that the fouling of Safaris reputation is far from over.
It would be easy to dismiss the big-picture significance of it all, but Apple seems determined to make this a real problem. My concerns come from Steve Jobs statements that Apple might use the Windows iTunes software in order to distribute Safari. This the company seems to see as partly a brute force method of making users take the software and partly a "halo effect," in which the momentum of the iPod and iTunes creates momentum for Safari. (In fact, the Wikipedia page for "halo effect" uses the iPod as an example.)
In practical terms, what I expect is that when you download and install iTunes, youll get Safari too. This is already the case with QuickTime; I dont have an iPod but most times I install QuickTime on a system I end up with iTunes also, even though I really try to get the non-iTunes version. Apple makes it difficult. So its not hard to see iTunes downloads coming with Safari. Perhaps there will be a non-Safari version, but it wont be easy to find. Apples not the only company to pull this stuff.
Its also not hard to imagine links in the iTunes program launching Safari, regardless of what the default browser on the system is. Apples not the only company to pull stuff like that, either.
Youd think Apple was swimming against the flow, entering a rough market like this. I must say Im impressed at how Apple got all of the really key plug-ins ready for Windows for the beta release. I was especially surprised by the link for the Windows Media Player plug-in, http://port25.technet.com/videos/downloads/wmpfirefoxplugin.exe—I didnt expect that Safari would use Firefox plug-ins, but it appears to. I tested the Microsoft WMP Firefox plug-in in Safari and it loaded, although I couldnt get any content to play.
So whats all the fuss, youre asking: This is a beta, right? Well, that explanation doesnt have the currency it used to. How long has Googles Gmail been a beta? Ever since Netscape created the notion of releasing products with essentially no testing at all, and then talking out of both sides of its mouth about whether such products were ready for use by the public, people have lowered their expectations of software, particularly of Internet-specific software like browsers. If Apples going to call Safari the "worlds best browser," then it has to be at least as ready to use as the released ones.
The end-user license agreement includes all the appropriate warnings, of course, but nobody takes those seriously, especially when they say things like "BEFORE INSTALLING THIS APPLE SOFTWARE, YOU SHOULD BACK UP ALL OF YOUR DATA AND REGULARLY BACK UP DATA WHILE USING THIS APPLE SOFTWARE."
Of course, its not the beta period Im worried about. Its the creation of a major new attack surface against Windows users. Apples reputation among security researchers is far from stellar. The company has fixed scores of critical vulnerabilities in OS X over the last couple of years and has avoided real-world problems mostly through the low profile of the system in the market. But the population of iTunes users on Windows is a very large one and worth attacking. Its easy, for example, to envision malware disguised as iTunes coupons; actually, theres probably already a lot of that, but targeting Safari with it could make it more effective.
So heres hoping that Apple does a better job with Safari on Windows than its done with its other products, and fixes all security problems as quickly as it fixed yesterdays.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at firstname.lastname@example.org.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.