Print 56 comment(s) - last by Gondorff.. on Apr 2 at 2:23 PM

Safari browser allows Mac to be easily taken over at hacker convention, Vista, Ubuntu machines survive the day

It has not been a good couple weeks for Apple and Safari.  First Opera knocked it from its position as sole 100 percent compatible Acid3 browser.  Then it tried to force iTunes users to unintentionally download the browser as part of an iTunes update, which included a pre-checked install option for Safari.  The move was met with broad criticism, including from Mozilla's CEO, who commented that Apple was bordering "on malware distribution practices."  Finally, Safari users who updated to v3.1 reported many bugs and crashes.

Now the browser, which Apple CEO Steve Jobs once called the "
most innovative browser in the world and the most powerful browser in the world", has had more bad news.  At the CanSecWest Show, an annual security conference, it was found that the Safari browser was surprisingly insecure, allowing successful attacks on Mac computers.

CanSecWest sponsors an annual hacking contest, which seeks to recognize vulnerabilities and give a comparative analysis of OS security.  A Mac, Vista machine, and Ubuntu box survived the first round, which only allowed pre-authentication attacks – a successful attack would have yielded a $20,000 prize.  However, on the second day, the flood gates were opened and hackers were allowed to use default-installed client applications.

The Mac fell within minutes, hijacked by security researcher Charlie Miller.  Miller compromised the computer through security flaws in the new Safari 3.1 browser, which he declined to make public.  For his takeover via the new vulnerability, Miller netted a sweet prize of $10,000.  Surprisingly, the hackers were unable to gain control of the Vista or Ubuntu machines that day.

On the third day, hackers were allowed to exploit popular third-party applications.  Hackers found the Vista machine surprisingly hard to crack in what they thought would be an "easy pickings" day.  The improved security is likely owing largely to SP1, perhaps because of NX support for heap memory.  In the end it was taken down by a cross-platform Flash Player attack.  The Ubuntu machine survived the day.

Some point that the Mac and others may be even more vulnerable than the show indicates as some have noted that a pre-authentication vulnerability might command a price of $50,000 or more elsewhere, making an exploit at the show unprofitable.  According to eWeek's security analysts, "Safari is prone to a remote code-execution vulnerability because it fails to adequately handle regular expressions with large, nested repetition counts. Inaccurate compilation lengths are calculated, and an overflow results."

Miller didn't even have to use new vulnerabilities also known for Safari.  The first is a simple overflow attack using zip files.  The second attack allows injection of content in a window belonging to a trusted site. 

A recent independent analysis confirmed that Apple patches its vulnerabilities slower than Microsoft.  The analysis followed a controversial Microsoft report by Jeff Jones, known for trashing Firefox for its bugs.  The report indicated that 36 vulnerabilities in Vista were fixed over a total of nine patching events, and 30 unpatched vulnerabilities remained, while a total of 116 vulnerabilities were fixed in OS X over 17 patching events, with 41 unpatched vulnerabilities.

Apple's patches last year indicated Apple's slower than acceptable patching pace.  It included patches for four vulnerabilities known since 2006 and two known since 2005.  The oldest of these, a vulnerability in Apache, had a fix released by Apache in 2005.

Security experts point out that despite Apple's poor security, its machines remain less attacked than Windows machines.  Many believe this is simply a matter of market share.  With Mac sales on the rise, there may soon be a large increase in Apple-targeted malware and takeovers with the Safari browsing taking the brunt of the attacks.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Give up on the browser Apple
By michael2k on 3/31/2008 1:14:32 PM , Rating: 3
Except Safari is worth the time and resources to continue. If Apple doesn't have Safari, we wouldn't have:
1) WebKit
2) Safari for Mac (since IE for Mac was discontinued)
3) Safari for iPhone
4) Safari for iPod touch
5) Nokia based WebKit browser

Safari and WebKit has done a lot for mobile browsing and lightweight browsing. If FireFox could take marketshare away from IE, there is no reason to think Safari couldn't as well; competition means better browsers for everyone, so as long as Apple can afford it, I think Safari for Windows is a great idea, if for no other reason that Microsoft and FireFox cannot "rest on their laurels".

RE: Give up on the browser Apple
By retrospooty on 3/31/08, Rating: -1
RE: Give up on the browser Apple
By DASQ on 3/31/2008 2:32:19 PM , Rating: 3
I think he was trying to hide for "If Apple didn't have Safari, they have one less aspect of control over your Mac".

RE: Give up on the browser Apple
By michael2k on 3/31/2008 3:32:01 PM , Rating: 2
You're not supposed to care about them. I didn't write that list of things that you should care about, it was a list of things that Apple cares about.

There is no IE, so Apple has to use Safari, on Mac. They likewise ported Safari to the iPhone and iPod touch in order to have the "best" web experience on those platforms; again, they don't need you to care.

WebKit is important because of it's contribution to competition and diversity, since it is the foundation for Nokia's N60 browser and Android's web browser.

Which is where my last point concludes; WebKit and Safari is important for competition. It is already the most used mobile web browser over pocket IE and FireFox. It's pushing Microsoft and Mozilla to try harder on portables, and that is good for us.

RE: Give up on the browser Apple
By 777 on 3/31/2008 4:46:08 PM , Rating: 2
competition means better browsers for everyone

Exactly, it's great we have choices and competition.

They likewise ported Safari to the iPhone and iPod touch in order to have the "best" web experience on those platforms; again, they don't need you to care.

Good point!

RE: Give up on the browser Apple
By omnicronx on 3/31/2008 2:34:13 PM , Rating: 2
Webkit is based directly from Konqueror.(the integrated KDE browser from linux)... Apple did not invent it..

So maybe you should change your list to.. if we didnt have KDE we wouldnt have
2)WebKit etc ;)

Google and Nokia also have a huge stake in webkit, and when googles android OS comes out, its going to wipe the flour with anything apples safari has to offer...

RE: Give up on the browser Apple
By michael2k on 3/31/2008 3:26:45 PM , Rating: 2
I'm not disagreeing in the least. Without KHTML there would be no WebKit (more on and

Of interest is that Nokia's browser is based on WebKit; and so is Android.

So even if Android is competing with the iPhone, it can't "wipe" Safari because it's basic web browsing component is the same as Safari!

RE: Give up on the browser Apple
By omnicronx on 3/31/2008 8:05:05 PM , Rating: 2
same component, different o/s, different performance..
safari performance is probably not the same across all platforms either.

By michael2k on 4/1/2008 2:37:47 PM , Rating: 2
I will re-iterate my point. If Android takes off, so too will WebKit because Android uses WebKit.

Which means, in the end, increasing competition against Microsoft and FireFox; as long as people use WebKit, then developers will fix WebKit, and therefore Apple will see positive returns on WebKit, further encouraging Apple to continue to develop and ship Safari.

The point of this thread was someone said Apple should can Safari, and the existence of Android, N60 browser, the iPhone, the iPod touch, and the Mac all argue against canning Safari.

RE: Give up on the browser Apple
By thartist on 3/31/2008 4:36:01 PM , Rating: 2
I agree with one thing: since Safari was introduced in the browser wars, that war and competition got incredibly hot and even Opera and Apple got to pass Acid 3 quite quickly (even if dev builds).

The rest: Safari has a chance and niche for Mac-ers running Windows, IE haters that will go Safari just because the like it or think Apple is cool, and a little amount of random people but, the game already has it's strong players AND Safari ain't really better than those.

Those 5 points you mention are not medium-weights and don't make for anything outside themselves to be honest.

"Spreading the rumors, it's very easy because the people who write about Apple want that story, and you can claim its credible because you spoke to someone at Apple." -- Investment guru Jim Cramer

Most Popular ArticlesSmartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
UN Meeting to Tackle Antimicrobial Resistance
September 21, 2016, 9:52 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki