Apple's first Safari web browser for Windows has multiple security flaws that put users at risk, researchers say. ((Saleem Khan, CBC News))
Researchers have discovered security vulnerabilities in the test version of Apple's first Safari web browser for Windows after it was unveiled on Monday.
On the Safari download page on Apple's website, the company says "Apple engineers designed Safari to be secure from day one," but computer security experts found flaws in the beta version of Safari for Windows within hours of its debut at the Apple Worldwide Developers Conference in San Francisco that ends Friday.
The weaknesses could allow an attacker to fool people into thinking they are visiting one site while they are at another, crash Safari, deny users access to the web or even hijack a machine with little to no action of their own, the researchers report.
Polish security researcher Robert Swiecki noted on Wednesday that an attacker could steal the new browser's information files or cookies and use them to make it appear as though the user is visiting a legitimate site — even displaying a real web address and title —when they are really at another website.
Attacks of this kind could be used to fool someone into thinking they are visiting a banking site, for example, and trick users into disclosing account and password information.
Independent Israeli security researcher Aviv Raff found that he was able to crash the Safari beta for Windows browser using a tool he co-created to find flaws in web browsers.
Weakness extends to Safari for Mac
David Maynor, chief technology officer of Errata Security, stated on his company's weblog that in one afternoon, he found six weaknesses in the browser, including two so-called "remote code execution" flaws that could allow an attacker to hijack a computer running the software.
"We have weaponized one of those to be reliable," Maynor wrote in a post to Errata's blog, describing proof-of-concept code his team had written to consistently exploit one of the weaknesses.
He also noted that the vulnerabilities in the Windows version of Safari also exist in current versions of the software that run on Apple's Mac OS X operating system.
"The bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," Maynor wrote, noting they had been verified in Safari version 2.0.4 for Mac OS X.
Attacks set to explode: researcher
"Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser," Danish security researcher Thor Larholm wrote in a post to his blog.
Larholm also detailed a security hole that would allow an attacker to run remote code.
The weaknesses outlined by Maynor and Larholm would affect a user who is tricked into visiting a specially crafted web page.
"Even if these vulnerabilities didn't exist, we wouldn't recommend using beta software in a production environment," Symantec security researcher Eric Chien wrote in a post to the company's Security Response blog. "Hopefully many of these bugs will be scrubbed before the official release."
Johannes Ullrich of the SANS Institute — a computer security industry education and research centre — shared Chien's sentiment, cautioning people against relying on beta software as they would a finished product.
"We all know better then to use beta software in production," he wrote in a post to the SANS blog, adding that people who want to want to try early versions of programs can reduce their risk.
"You can minimize the impact. Keep a 'beta' machine around. Use it to install all the free trials, latest beta versions and other junk. The machine will soon become too unstable to use, making the desire for even more free-trial-super-feature-enhanced software wane quickly."
