Safari for Windows, Mac, and probably iPhone found to have tons of security holes

As noted here and many other places, Safari turns out to be full of security flaws at least some of which are in the production (2.0.4) version as well as the 3.0 “beta” (it doesn’t show beta in its About box).

Safari on Windows is proving pretty buggy for me, it doesn’t save preference changes among other things. (Ironically, it crashes when I try to view a MacWorld Blog page complaining about the uninspiring announcements at WWDC.) Personally, I think it’s nice to see security flaws in Safari exposed because, hopefully, Apple will be forced to fix them. The nastiest exploit I’ve seen tricks Safari into running arbitrary command lines under Windows (via cmd.exe).

If only it had market share, it would have Security Vulnerabilities

The revelation that the security flaw exploited to win a hacking competition last week was related to Java applets that used QuickTime is very interesting because of the usual argument that Macs are only seen as less vulnerable because they have a smaller installed base. Well QuickTime doesn’t have a “smaller installed base”. Its installed base is highly comparable to that of, say, Internet Explorer, Microsoft Office, or Windows Media Player. Indeed, given that Apple is less likely to rev QuickTime randomly (Windows Media Player 11 anyone?) and that iTunes and iPods are highly linked to the latest version, the chances are that its market penetration exceeds any of these products. Is that not interesting?

Here’s QuickTime 7’s stats from secunia.com (hey, they’re biased against Apple*, but then who isn’t in the security industry. Until we can get Mac users buying third party firewalls and antivirus software, we’re going to keep telling everyone they’re an accident waiting to happen). Note that these stats include the vulnerability exploited in the CanSecWest competition.

Here’s Internet Explorer 7’s stats (note that most folks are probably using Internet Explorer 6 still). IE7 has a similar number of vulnerabilities in a shorter timeframe, but they’re more critical and far less likely to have been patched. (And remember, Secunia is the company that treats a trojan you need to download and type an admin password to install on a Mac as highly critical, while a vulnerability that can take over your PC if you just visit the wrong website is not.)

Here’s Microsoft Office 2003’s stats. Quite a few vulnerabilities, almost all remote, and, oh look, one in six is unpatched.

There are so many versions of Windows Media Player that linking them all would be kind of tedious. Windows Media Player 11 so far has no listed vulnerabilities. Here’s WMP 9 and WMP 10 though.

Given that the vulnerability is an interface between code which relatively few people care about (Java) and code that gets a lot of attention (QuickTime), I suspect that it will probably turn out that some previously identified buffer overflow vulnerability that was fixed for QuickTime via more popular and conventional paths (e.g. the browser plugin) was not fixed for the Java QuickTime API.

Conclusion: Apple just writes better software than Microsoft, and doesn’t leave critical vulnerabilities unpatched for years. But we knew that already.

Note: * Secunia, biased? Say it isn’t so. Here’s a vulnerability in IE that can make an arbitrary malicious file appear to be an html file when you “Save As…”. Note its criticality. Here’s an “extremely critical” vulnerability in Mac OS X (note that Mac OS X is one product, like Windows XP Home Edition). It’s listed as partially unpatched because, apparently, you can still execute shell scripts that are placed in an archive manually. OMG really? Gimme Outlook 2000 which won’t let me extract .exe’s from email attachments even if I sign a release in triplicate. Yeah. That would fix it.

Secunia, Techworld, Mac OS X, and various Reality Distortion Fields

Recently, a Danish (I am told) internet security firm named Secunia has gotten a lot of free publicity, largely by making the pronouncement that Mac OS X is no more secure than other operating systems, notably Windows XP and its variations, which it considers the most secure of all.

Apple has gotten quite a bit (not a huge amount) of bad press over this, all of it citing Secunia’s Press Release. The most vehement I have encountered is on Techworld.com: Apple Shames Itself Again Over Security.

Unlike some pro-Apple bigots I am not entirely immune to doubting the utter superiority of Mac OS X to all alternatives, so I decided to do a little research. Something, apparently, no-one at Techworld is required to do.

If you visit Secunia’s website, and I suggest you do, try looking at their archives of security alerts, under Apple: Mac OS X, and Microsoft: Windows XP Professional. I won’t link directly, since you should go find these things yourself to (a) prove how easy it is, and (b) demonstrate that I am not cherry-picking my results.

First of all, in their summary graphs and tables, Secunia reports fewer security alerts for Mac OS X (all versions including server) than one variant (Professional) of Windows XP. But, hold your horses, Windows XP Professional is reported as having no serious issues, none, zero percent (out of 67).

But, when you scroll down the page you discover several serious issues listed. Hmm, if there are several, how does this come out as 0%? So either Secunia are incompetent, or dishonest. Certainly, journalists can’t be bothered checking beyond press releases. Well, no surprise there.
What’s more, one of these serious issues has been unresolved for nine months!

And then, there’s the well-known gaping hole of ActiveX (an ActiveX control can do anything it likes to your machine). ActiveX issues are mentioned only once on Secunia’s XP Professional page and shown as having a single serious flaw which has been fixed. (It’s one of the 0%.) Well the fix is that the user has to magically know that this ActiveX control isn’t safe and click “No” while to get his/her daily work done he/she may have to magically know that other ActiveX controls ARE safe and click “Yes”. Whew. Glad that was “fixed”.