Among the security holes is a vulnerability that may enable an attacker to disguise the address bar, which opens the possibility of a user being tricked into visiting a phony site and providing confidential information, according to security experts.
An attacker may also potentially direct the browser to a fraudulent website that may download malware onto the user’s computer.
Apple doesn’t detail the vulnerabilities on its website. Instead, it says the new beta has the latest security updates, improved stability and fixes for text display, non-English systems, and start-up times.
The second beta release can also better handle RSS feeds, HTTP authentication and empty content-type headers, security experts said.
The first vulnerabilities identified for Safari 3 for Windows beta surfaced on at least three security blogs within hours of Apple CEO Steve Jobs announcing the software at the Worldwide Developers Conference on June 11, in San Francisco. Two days later, Apple updated its beta Safari for Windows, fixing three security issues. The initial Safari 3.0.1 was only for Windows XP and Windows Vista users because the security issues did not affect native Mac OS X computers.
However, Apple also released updates for Mac OS X 10.3, or Panther, and 10.4, Tiger, to address problems of the bundled Safari browser, including a memory corruption vulnerability that may enable an attacker take control of a computer.
Our View
Since it was announced, Apple’s marketing team pushed Safari 3, both for Windows and Mac, as designed to be secure from day one. So security experts and some media have relished in this clearly not being the case. However, with some bloggers finding no fewer than four denial-of-service attacks, among other vulnerabilities, during the afternoon following Safari 3 beta’s morning release does give cause for criticism of, at least, Apple’s PR machine.
Within two hours of downloading and using Safari for Windows, for example, Thor Larholm of the Larholm.com blog said he found a fully functional command execution vulnerability, triggered without user interaction simply by visiting a Web site.
A skeptic may question whether Apple rushed the beta release to coincide with its developer’s conference, in the absence of another major Apple announcement, which devs, Mac prosumers and the media have lately begun to expect. A sure sign that a company or technology is becoming overhyped is when reporters get visibly wild-eyed while covering it – and there was plenty of applause coming from the media pit at the recent Apple dev conference.
Then again, Safari 3.0.2 is just beta software. The more beta updates that are released, the more robust the OS will be when it launches to the public in a few months. After all, Microsoft regularly patches Internet Explorer. On June 13, for example, Microsoft issued a security bulletin for IE that was deemed critical – its highest security rating.
The hoopla around Safari 3 beta being patched twice in less than a week may have more to do with the hype surrounding Apple, which has been in overdrive since the announcement of the iPhone, than the robustness of its forthcoming browser.
