http://www.apple.com/safari/download/

pretty fun to finally see some mac software crossover, and competing with microsoft's stuff.

They claim it to be the fastest, but on my "amd1300 256mb ram, XP pro" at least it does _not_ outperform firefox, which is still
about 20% faster to load, and scrolling in safari appears to be a pain.

Still I bet on faster systems the un native graphics drawback is minimalized and it's a fun gimmeck to have around,
now if they'd only opensource it

btw there are rumors that (open) solaris will be GPLv3'ed, which would be fun too, can't wait to peek at the kernel

cheers.

heh2 there appear to be many many many holes in this windows port of safari,

google around there are already several 0day remote command execution, DoS and memory corruption bugs
..

Apple:auch

There is some controversy regarding the claim of zero-day code execution bugs for Windows Safari. The code may well be vulnerable - it is beta, after all - but the claims are suspect too.

David Maynor seems to have used fuzzing (program generated test cases) to find bugs and claims to have "weaponized one to be reliable", which I take to mean repeatable but not executable code injection. Maynor seems to have a grudge against Apple: He claims to be a security researcher, but does not inform Apple when he finds bugs. The accuracy of his claims have been poor in the past: I first heard of him when he claimed a Mac WiFi bug was exploitable, but it turned out to affect only third party drivers, not the ones shipped with OS X.

Thor Larholm offers a more specific claim of "protocol handler command injection", meaning crafting devious arguments for protocol handler programs, but offers a proof of concept exploit for Firefox, not Safari. That doesn't mean Windows Safari is safe, but it doesn't prove vulnerability either.

Anyway, I'd be interested to hear if there is an actual zero day exploit for Windows Safari.

yeah, i don't really have the time to investigate everything thoroughly,

but my security radar had enough blips on it, to assume at least some of it was true

so if anybody get's more updates do let me know too

done some testing, and on none of my pc's does safari outperform firefox

safari crashes when I select "add bookmarks" ... there is a reason, but that's not my problem nomatter what
the circomstances it shouldn't crash imho.

the protocol vuln that is suposed to bounce through FF does, crash safari, and starts to go through firefox
but nothing else much happens.

http://src.opensolaris.org/source/ -> There you go for the source.

Yeah multiple 0day exploits are already all over the net.
Take this for example.

yeah that's probably the one unime ment with


The actual truth is that it _is_ a safari exploit that uses firefox, it claims there are multiple possible protocol handlers that could be vulnereable, but he uses firefox.
I haven't had the time to look at it thoroughly, but it doesn't look like "security from day one" is entirely accurate
maybe security from day 1 of official release ... but still.

there are other things that annoy me about safari though it's a nice gimmick but that's about it .

Thanks, Alt3rn4tiv3. I had not seen Larholm's page on the bug, only summaries.

I misunderstood the summaries, believing that Larholm's bug affected only Firefox, when it is actually the way Safari invokes Firefox at fault.

As it turns out, Safari fails to escape arguments to protocol handlers. Clearly this is asking for trouble. Firefox then interprets the arguments, executing the malicious actions. A better design would have protocol handlers invoked without allowing them to interpret the unescaped characters as additional arguments or (worse) as containing special shell redirection or execution characters.

Larholm says the bug is not limited to Firefox, but doesn't have a proof of concept for just Safari on Windows.