Safari 3.0 beta hit with six vulnerabilities within hours after launch
San Francisco (CA) – Apple may have to start patching security holes in its new Safari browser sooner than expected: Security researchers already have discovered multiple Denial of Service (DoS) and remote execution exploits.
The first round of vulnerabilities were described on three security blogs, published by security experts Aviv Raff, David Maynor and Thor Larholm. The findings dent Apple’s claim that Safari 3.0 was “designed to be secure from day one.”
Apple has not yet reacted to these reports; David Maynor of Errata Security saying he does not intend to release the information about the vulnerabilities to Apple and explained this decision by stating “if a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pen-testing. We do not sell the vulnerabilities to any 3rd party.”
It is interesting to note that Apple almost exclusively highlighted the browser’s performance and not on its security capabilities in the product’s press release. However, the firm outlines security features on its website and writes that the software supports “robust encryption (…) that protects all your information from online eavesdroppers.” There is no information on advanced security features that have been available in Microsoft’s Internet Explorer 7 or Firefox 2 – such as an anti-phishing filter. Some Mac-focused websites mentioned that Safari will be receiving this features, but it appears that it won’t be an Apple-developed feature, but an add-on that uses Google’s phishing filter.
Since Safari 3.0 is still in beta, Apple has time to fix vulnerabilities and its relationship with security researchers. Bugs and vulnerabilities should be expected in test versions, but Apple’s decision to provide a Windows browser certainly will expose the software to much more aggressive hackers.