Vulnerability researchers have applauded Apple for fixing
flaws in Safari for Windows within days of their disclosure
but some are warning that Apple will have to improve its
performance in the Windows arena.
 | | | | | They are obviously under the
spotlight on this one, with flaws being identified very
quickly.
Dave Goldsmith
consultantMatasano
Security |
| | | | | |
| |
|
On 14 June, Apple released
a security update for three flaws in Safari for
Windows, discovered almost immediately after it released the
browser in beta on 11 June.
According to Apple's bulletin, the update patches a number of
flaws, including a command injection vulnerability, an
out-of-bounds memory read issue and a race condition for cross site
scripting. The issues allow attackers to launch malicious code.
Apple has come under increased scrutiny in recent months from
vulnerability researchers unhappy with the company's response when
bugs are reported. Dave Goldsmith of New York consultancy Matasano
Security said he hasn't had as much difficulty with Apple, but has
heard from other researchers that the company's response time often
leaves much to be desired. He believes Apple moved quickly this
time because it's something that affects Windows users as well as
the Mac faithful.
"They are obviously under the spotlight on this one, with flaws
being identified very quickly," he said. "I was surprised how
quickly flaws were found, but being on Windows is a much different
playing field than Mac. I think being on Windows will be the market
force that pushes Apple to work on these things faster."
Israeli vulnerability researcher Aviv Raff, among those who
found the Safari for Windows flaws this week, doubts the quick fix
is a sign that Apple is turning over a new leaf. In an interview
conducted over IM, he said a fast update is always easier when a
program is still in beta.
He said he didn't report his Safari finds directly "because of
my knowledge on how they treat security researchers." A good
example is today's advisory, he said, adding, "There was no credit
for any of us."
He hopes Goldsmith is right that Apple will take security more
seriously as it goes head to head with Internet Explorer on Windows
and researchers step up their efforts to find cracks.
"I really hope so," Raff said. "Apple can really learn from
Mozilla and Microsoft on this issue."Denmark-based researcher Thor
Larholm also found one of the Safari glitches and
congratulated Apple
in his blog for "fixing a serious security vulnerability in
such a short time frame." Their usual response time can be counted
in weeks to months, he noted.
New Yorker researcher Dino Di Zovie attracted headlines in April
when he hijacked a Mac as part of a contest at the CanSecWest
conference in Vancouver. The contest was designed to raise
awareness of the threats facing Mac users, who tend to see Apple's
OS as a more secure alternative to Microsoft Windows and its
much-attacked Internet Explorer browser, conference organizers said
at the time.
Thursday, Di Zovie said Apple deserves more credit than it has
received for its security performance.
"They're definitely facing issues much faster these days," he
said. "When there's a lot of press or details are publicly known
they'll push out a fix more quickly. They've been doing their
best."
He noted that a lot of issues are being reported to the company
and that sometimes forces it into a game of catch-up. "I've
reported 10-plus flaws to them and the time to fix has ranged from
a year to a week," he said.