Within hours of Apple's public release of the beta for Safari 3.0 for Windows, three security researchers independently found holes within the new browser. Researcher Aviv Raff highlighted in a blog post the company's product statement, that reads: "Apple's engineers designed Safari to be secure from day one." Raff found a vulnerability, a memory corruption error that could allow an attacker to insert malicious code on a Windows machine, within three minutes using publicly available fuzzing tools.
Security researcher David Maynor, posting on his Errata security blog, said he was also able to generate a memory corruption error "in no time." By the end of the day, he was able to generate a total of six bugs--four producing a denial of service (crash), and two capable of executing remote code.
Veteran security researcher Thor Larholm wrote in his blog that he found a "0day" vulnerability in Safari within two hours. The flaw exists in how Safari handles URL protocols within Windows, causing a denial of service (crash). Larholm has published an exploit to demonstrate the flaw.
All of the vulnerabilities were found on Windows machines; none of the researchers could say whether these flaws also existed on the Mac OS.