Safari 3 Beta Leaves Systems Vulnerable To Remote Attack
It looks like while you can download the beta of Apple's Safari 3 browser for Windows, you probably shouldn't. Security experts have been busily testing the software – hailed as twice as fast as IE7 – and found a number of instabilities and, more worryingly, exploit vulnerabilities that could see websites run multiple commands on unsuspecting users' systems.
In less than two hours an exploit was coded that could trigger software on a remote system and run commands:
"In view of the fact that Apple is using the security of the Mac browser as an advertising point, it is particularly shocking just how simple the bug is. Larholm opens the following form using an IFrame:
myprotocol://someserver.com/some"[space]argument
The quote mark followed by a space slips an additional parameter into the protocol handler's program call. With a few finishing touches a web page can use this to run its own commands on a visitor's system" heise Security
Now bugs and glitches in software are nothing new, in fact Microsoft is oft-lambasted for their leaky Internet Explorer history (and rightly so), but it marks the continuing hurry to slap on a Beta label and get a first release out of the door. I've no doubt that Apple will continuously upgrade and tweak Safari in the run-up to a full release, but right now it's hard to recommend to anyone other than web designers looking to ensure their wares are compatible.
Apple's Safari into imperfection [heise Security]