Apple has unveiled a beta version of its Safari Web browser for Windows and Mac, prompting vulnerability researchers to release details of a slew of bugs.
Within hours of the release, security researcher David Maynor claimed to
have found six vulnerabilities in Safari version 3 beta. Four of the
vulnerabilities are simple denial-of-service bugs that crash the
browser, but two of the flaws allow remote execution, he said in a post
to his company's blog.
Israeli researcher Aviv Raff also claimed to have uncovered several
bugs, while another researcher, Thor Larholm, revealed a "fully
functional command execution vulnerability, triggered without user
interaction simply by visiting a website".
"Given that Apple has had a lousy track record with security on OSX, in
addition to a hostile attitude towards security researchers, a lot of
people are expecting to see quite a number of vulnerabilities targeted
toward this new Windows browser," Larholm said on his website.
Many industry analysts see the rush to compromise Safari as a by-product
of Apple's assurances that the browser is especially secure. The
company's website claims: "Apple engineers designed Safari to be secure
from day one." It is also the first time Safari has been available for
Windows, the most-installed OS.
John Colombo, managing consultant for security practices at Cap Gemini,
said: "Apple has clearly set itself up for this, and its refusal to
engage with security researchers only adds fuel to the fire."