Want CNET to notify you of price drops and the latest stories?

Security researchers: Safari for Windows not so secure

Within hours of release, veteran researchers find holes in the new Windows browser from Apple and post their results online.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
Robert Vamosi

Within hours of Apple's public release of the beta for Safari 3.0 for Windows, three security researchers independently found holes within the new browser. Researcher Aviv Raff highlighted in a blog post the company's product statement, that reads: "Apple's engineers designed Safari to be secure from day one." Raff found a vulnerability, a memory corruption error that could allow an attacker to insert malicious code on a Windows machine, within three minutes using publicly available fuzzing tools.

Security researcher David Maynor, posting on his Errata security blog, said he was also able to generate a memory corruption error "in no time." By the end of the day, he was able to generate a total of six bugs--four producing a denial of service (crash), and two capable of executing remote code.

Veteran security researcher Thor Larholm wrote in his blog that he found a "0day" vulnerability in Safari within two hours. The flaw exists in how Safari handles URL protocols within Windows, causing a denial of service (crash). Larholm has published an exploit to demonstrate the flaw.

All of the vulnerabilities were found on Windows machines; none of the researchers could say whether these flaws also existed on the Mac OS.