Just hours after Apple Inc. released a Windows version of Safari on Monday, security researchers had uncovered more than half a dozen vulnerabilities in the browser beta, including at least three that could let attackers grab complete control of the PC. PC World"s Erik Larkin isn"t surprised that Safari would become a security risk. But Apple"s claims about the new browser"s security have touched a nerve with security researchers: Two of the researchers blamed Apple"s "false claims" about security and what they called its "hostile attitude" toward bug finders for the rush to dig up flaws.
First off the mark was David Maynor of Errata Security, who posted notice of a bug about two hours after Apple made Safari 3 available for Windows. By the end of the day, Maynor had racked up six bugs. Four could be exploited to crash the browser and/or PC in a denial of service; the other two, Maynor claimed, were remote execution vulnerabilities. Maynor, who clashed with Apple over a demonstration of a wireless hack on a MacBook at last summer"s Black Hat security conference, didn"t hesitate to take a shot at the Cupertino, Calif. company. "I can"t speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."