Whilst still being a minority browser outside of its own OS monoculture, Apple's Safari is rapidly gaining ground against the more popular Opera
, and Internet Explorer
packages – helped, of course, by the latest iTunes update installing Safari onto Windows PCs that hadn't had it before. A side-effect of this growth, however, is that more critical eyes turn towards your product.
During the PWN to OWN
contest at the CanSecWest security conference in Vancouver, the very first system to fall prey to security researcher's penetration attempts was a MacBook Air running the latest build of Apple's Safari browser. The winner of the contest, Charlie Miller, was awarded a cash prize of $10,000 plus the MacBook Air in question, which was running MacOS X 10.5.2 alongside the latest Safari.
The full details of the attack aren't currently known, as the conditions of the contest mean that any exploits used by entrants become the sole property of principle sponsors TippingPoint. The security company has announced that the details of the attack have been turned over to Apple, however; so let's hope that it won't be long until we see a fix.
Far from being a new flaw, the page spoofing exploit it precisely the same as those that Microsoft's Internet Explorer browser suffered from three years ago
This also comes along with more recent news that Safari – again on Windows – suffers from a buffer overflow when a ZIP archive with an overly long filename is downloaded. So far, this only results in a crash – but the potential for remote code execution is always there.
Safari is far from being the only browser to have security flaws – we've just seen the release of Firefox 18.104.22.168 specifically to correct a bug described by the development team as 'critical' – but that so many major problems have been discovered in the browser might demonstrate that Apple has finally succeeded in becoming 'mainstream' enough for the crackers to sit up and take notice.
Do you believe that Apple software is intrinsically secure, or are we likely to see the same trial-by-fire with the Safari browser that older packages have already endured? Share your thoughts over in the forums