Safari browser security

One of the most popular points that Mac fans bring up when pointing out how much better Macs are than Windows computers is how much more secure Macs are.  However, when Apple released the Safari browser for Windows testers quickly realized that the browser was anything but more secure than Internet Explorer 7.  This is especially troubling since Apple touted the Safari browser on its web page as being “secure from day one.”

Researchers downloaded and began playing with Safari on Windows almost the minute that it was released.  One researcher in particular, Thor Larholm, found a URL protocol handler injection vulnerability that allows commands to be executed remotely.  This was found less than two hours after installation.  Larholm was quick to note that Safari doesn’t handle URL validation in iframes like it should, which allows programs to manipulate protocol handlers in unpredictable manners. 

David Maynor of Errata Security also found bugs as well – six of them, he claims.  Of these six, four are DoS and two are remote code execution bugs.  Additionally, he claims multiple crashes just from idle use and especially from importing bookmarks into the browser, a feature that many, if not most, users will almost definitely use, at least upon initial installation.

While it seems to be lax on security, Safari is simply too stringent on some issues.  For instance, Safari simply will not allow open a website with expired or unsigned SSL certificates.  While this keeps users safe, it can be extremely frustrating when the user is familiar with the site and wishes to continue.  Firefox is much more clever in handling expired or unsigned SSL certificates in that it gives the user a choice of whether or not to continue by enabling a warning to pop up.  Safari users would just be forced to use another browser, probably Firefox. 

In its defense, Apple has been diligent in releasing updates for the Safari browser but not all claimed exploits have been thoroughly patched.  This may be due to the fact that many people that actively search out these exploits give feedback to the companies whose software they test.  This is particularly true of David Maynor.  Maynor has vehemently stated that Apple has chosen to attack his credibility instead of fixing crucial security exploits in his previous attempts to point them out to the company to be fixed.

Apple will hopefully address all of the concerns with their new browser as it is clear that they cannot rely on hackers to simply target Internet Explorer just because it is a more popular web browser these days – particularly if they want to enable their fans to continue the argument that Macs are more secure.