By Richard Koman / CIO Today. Updated March 27, 2008.
Argentinian hacker Juan Pablo Lopez Yacubian has discovered two critical flaws in Apple's Safari 3.1 browser for Windows, according to security firm Secunia.
First, Yacubian says, an error when downloading a .zip file with an overly long filename can be exploited to cause memory corruption. "Successful exploitation may allow execution of arbitrary code," Secunia's Web site says.
In addition, an error in the handling of Windows can be exploited to display arbitrary content while showing the URL of a trusted Web site in the address bar, the researcher reported.
Risk to Enterprises
"It's not good news when three days after releasing a significant update to any
software, that a researcher publishes two highly critical bugs for the new
release," said Andrew Storms, director of security operations for nCircle Network Security, in an e-mail.
"Further, the risk to enterprises and consumers alike have been further heightened as the proof of concept for these vulnerabilities is now readily available. The move from proof of concept to weaponization is just around the corner," Storms said. Indeed, the mix of research being reported at the CanSecWest security conference in Vancouver this week means that "weaponization has probably already occurred," he added.
The only bright point here is that "Safari still hasn't got the largest market share when it comes to browsers," Storms said.
Software Pushed on Users
News of the bugs comes in the context of Apple's controversial practice of pushing the new Safari to Windows users through iTunes' software updater. Even users who had never installed a previous version of Safari were offered the new software and, if they performed the default behavior of just clicking OK, they wound up with Safari on their hard drives.
The practice generated a firestorm of controversy, fueled largely by Mozilla CEO John Lilly's blog post that Apple was "wrong" and "bordering on malware."
"While this might have been an annoying situation to users," Storms said, "given the new Safari vulnerabilities, it's also a bigger security risk."
Practice 'Borders on Malware'
Lilly ripped into Apple on his blog, saying, "What Apple is doing now with their Apple Software Update on Windows is wrong. It undermines the trust relationship great companies have with their customers, and that's bad -- not just for Apple, but for the security of the whole Web."
He added that it's "critically, crucially important for the security of end users and for the security of the Web at large that people stay current. If people don't update software regularly, it is impossible for them to remain safe." So if users are turned off by Apple's updates because they feel burned about having Safari thrust upon them, overall Web security it harmed.
"Apple has made it incredibly easy -- the default, even -- for users to install ride-along software that they didn't ask for, and maybe didn't want. This is wrong, and borders on malware distribution practices," Lilly said.
So far, Apple has not commented on Yacubian's vulnerability report.