Safari for Windows- the portal is open
Kevin was all over Steve Jobs yesterday, no not like that, he told us about Apple's release of the Safari web browser for the Windows platform. I've seen a lot of hoopla about that since the beta version was released and most pundits are thinking the release is to give Apple a Windows connection for the iPhone. That is probably one of their goals but it seems to me there is another, unwanted, portal that is going to be opened by a Windows version of Safari. Security exploits. I think we just may see Safari for Windows become the training wheels for hackers who now have a Windows-based portal into writing exploits that will make it back to the Mac side. We know there are no shortage of jerks writing browser-based security hacks and now they have Safari to practice with. Remember where you heard this.
Wasn't this possibility already opened with Firefox? FF is cross-platform and holds double-digit market share. How is Safari any more appealing to hackers than Firefox?
Posted by: Sumocat | June 12, 2007 at 08:17 AM
Safari is a native Mac app, Firefox is not.
Posted by: James Kendrick | June 12, 2007 at 08:51 AM
I'm not trying to be a jerk, but I don't get your point. Safari has always been a native Mac app. It has always been possible to exploit holes in its security. I don't see what difference the Windows version makes.
Posted by: Sumocat | June 12, 2007 at 09:38 AM
Firefox is a native Mac app in the context of your security assertion. Visually, it's obscured, because they have their own themed controls, but it is technically a native Mac app, it's compiled to Mach-O and it uses the high-level Mac UI frameworks to ultimately display the custom skins.
That aside, you're really overestimating the potential issues here. Safari is running on Windows using the Windows runtime ABI -- they ported some Mac libraries, but they're using the standard Windows executable runtime and calling conventions, which differ in almost every possible aspect from those of the Mac. It's not going to take any less effort to exploit across platforms than any two comparable web browsers on disparate platforms. Everything will be located at different addresses, the stack won't look the same, etc.
The exploitable cross-platform vectors are going to be JavaScript, Flash, and Java, as always.
Posted by: Chris | June 12, 2007 at 12:22 PM
http://www.theregister.co.uk/2007/06/12/safari_security_bugs/
"David Maynor, who's best known for discovering an infamous Wi-Fi hack of Apple machines running third-party drivers, has already discovered four denial of service (ie crashing) and two remote code execution bugs with the software. "Not bad for an afternoon of idle fuzzing," Maynor writes. "One of the bugs found in the beta copy of Safari on Windows works on the production copy of OSX as well," he adds."
Posted by: Mickey Segal | June 12, 2007 at 12:42 PM
This Maynor guy proves my point, it's now possible to exploit Safari using Windows PCs for those nefarious sorts who don't have Macs. That's what I'm saying here.
Posted by: James Kendrick | June 12, 2007 at 01:17 PM
1. That isn't what you said above, and it's also not what Maynor said. Reread your own post. You're implying there's going to be an epidemic of this sort of thing, and it's just not going to happen, because it would have already happened for Firefox, as Sumocat says. Firefox is a really attractive target. You can exploit three platforms at once if you're really talented (and there's an appropriate bug).
2. You don't even know who Maynor is (hint: an infamous attention-seeking troll who's made these sorts of claims before and failed to back them up). The poster above is yanking your chain with the "discovering an infamous Wi-Fi hack;" he's actually best known for *claiming* to have found one and never backing it up (a high-profile hoax).
I suppose Maynor might even deign to reveal the exploits this time (eventually). But it's like relying on a Rob Enderle quote: based on past experience, you can't take anything he says at face value.
Security is a difficult topic to get right. You simply don't understand the technical background or the personalities involved.
Posted by: Chris | June 12, 2007 at 01:34 PM
Wait, doesn't Maynor's example support my point? He hacked Safari for Windows and found a flaw that affects the Mac version of Safari. Isn't the same thing possible for Firefox or Opera? Also, Maynor is supposed to be an experienced Mac hacker. I don't see how the "training wheels" apply.
Posted by: Sumocat | June 12, 2007 at 01:40 PM
Note: I hadn't seen Chris's comment when I started writing and it didn't take me more than six minutes to write that. I had tabbed the link, read it, then came back to this tab and posted.
Posted by: Sumocat | June 12, 2007 at 01:44 PM
Unfounded. Period. Just because Safari is now on Windows means nothing. The exploit would have to be cross platform an depending on the module the exploit is using, it could even happen on Konqueror on Linux which also uses KHTML (or apple folks call it WebKit).
Pundits don't really know anything. They just pontificate.
Posted by: gork | June 12, 2007 at 03:31 PM
You're on record, fiend:
http://mikecane.wordpress.com/2007/06/12/code-terrorists-to-apple-thanks-for-the-safari-d00ds/
We'll all blame you now. Heh-heh. Shoot the messenger and all that.
Posted by: Mike Cane | June 12, 2007 at 03:35 PM
Although I think it's smart of Apple to push products onto other platforms, I wonder how much it costs them to work out newly discovered kinks. For instance, this article describes security flaws in Safari for Windows...
http://www.thenewsroom.com/details/403582?c_id=mam
--Matthew from the Sci-Tech desk at TheNewsRoom.com
Posted by: Matthew | June 13, 2007 at 03:34 PM
I hope this Maynor chap finds lots of bugs in the beta and Apple fixes Safari to become the best browser on Windows and Macs.
Posted by: Neil Anderson | June 13, 2007 at 07:51 PM