Flaws Abound In Apple's Safari Beta For WindowsFlaws Abound In Apple's Safari Beta For Windows

Researchers were quick to dig up vulnerabilities in the beta release of Apple's brand new Safari for Windows browser.

Quick may be an understatement. Researchers were finding flaws in the new browser's coding within an hour of its release, according to Johannes Ullrich, chief research officer of the SANS Institute and chief technology officer for the Internet Storm Center.

This for the browser that Apple touted as enabling "worry-free" browsing. "Apple engineers designed Safari to be secure from day one," the company said on its Web site.

Safari for Windows is just in beta, which is all about testing and looking for bugs, noted Ullrich. The issue, though, is whether these same bugs can be found in the Safari for Apple's own OS X operating system. Some researchers said they've already made the connection.

"For this, it's not a big issue because it's a beta version," said Ullrich. "It is more of a concern that some of the vulnerabilities people find in the Safari for Windows version will be found in the Safari for OS X version... Would anyone bother writing an exploit for it? I don't know, but it's as dangerous as any browser exploit which involves the attacker running code on the user's system."

Eric Chien, a security response engineer with Symantec, posted in a blog Tuesday morning that four vulnerabilities had been found on Monday in the Windows version of the browser. He listed two denial-of-service (DoS) vulnerabilities, a flaw that enables remote code execution and a protocol handler command injection vulnerability.

"We have not seen these being used maliciously in the wild, but then again, they were just released hours ago," he said, reminding people not to use beta software in a production environment. "We definitely expect in-the-wild usage to follow in the future, as well as the discovery of more vulnerabilities."

Alfred Huger, a senior director with Symantec, told information that the company's security team have seen one more proven vulnerability -- a remote execution flaw -- reported Tuesday.

"Where this is for the Windows platform, it's going to get more scrutiny," said Huger. "More researchers look at Windows applications, particularly browsers. ...Apple is going to be put in a position where they will have to respond quickly. The next few months will be pretty telling."

Several researchers are pounding the code looking for flaws.

Researcher David Maynor posted information on the Errata Security blog that they found a memory corruption vulnerability "in no time" and then went on to find six bugs -- four DoS and two remote execution flaws. "I can't speak for anybody else but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well (same code base for a lot of stuff)," wrote Maynor. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in OS X."

At one point in the blog, Maynor noted that new bugs were "popping out like hotcakes."

Security researcher Thor Larholm also is scouring the code and reportedly found a remote execution vulnerability.

Apple released the beta software on Monday during the Apple Worldwide Developers Conference 2007 in San Francisco. Citing Apple's experience serving more than half a billion iTunes downloads to Windows users, Apple's CEO Steve Jobs said he expected Windows users would welcome Safari's superior performance.

To prove his point, Jobs ran a performance comparison between Safari Public Beta 3 and Microsoft Internet Explorer 7, using VeriTest's iBench Version 5.0. Safari loaded Web pages in half the time it took Internet Explorer.