Vulnerability researchers applaud Apple Inc. for fixing flaws in Safari for Windows within days of their disclosure. But for those who have had unpleasant encounters with the Mac maker over
Apple Thursday released a security update for three flaws in Safari for Windows, discovered almost immediately after Apple released the browser in beta Monday.
According to Apple's bulletin, the update patches a number of flaws, including a command injection vulnerability, an out-of-bounds memory read issue and a race condition for cross site scripting. The issues allow attackers to launch malicious code.
Apple has come under increased scrutiny in recent months from vulnerability researchers unhappy with the company's response when bugs are reported. Dave Goldsmith of New York consultancy Matasano Security said he hasn't had as much difficulty with Apple, but has heard from other researchers that the company's response time often leaves much to be desired. He believes Apple moved quickly this time because it's something that affects Windows users as well as the Mac faithful.
"They are obviously under the spotlight on this one, with flaws being identified very quickly," he said. "I was surprised how quickly flaws were found, but being on Windows is a much different playing field than Mac. I think being on Windows will be the market force that pushes Apple to work on these things faster."
Israeli vulnerability researcher Aviv Raff, among those who found the Safari for Windows flaws this week, doubts the quick fix is a sign that Apple is turning over a new leaf. In an interview conducted over IM, he said a fast update is always easier when a program is still in beta.
He said he didn't report his Safari finds directly "because of my knowledge on how they treat security researchers." A good example is today's advisory, he said, adding, "There was no credit for any of us."
He hopes Goldsmith is right that Apple will take security more seriously as it goes head to head with Internet Explorer on Windows and researchers step up their efforts to find cracks.
"I really hope so," Raff said. "Apple can really learn from Mozilla and Microsoft on this issue."Denmark-based researcher Thor Larholm also found one of the Safari glitches and congratulated Apple in his blog for "fixing a serious security vulnerability in such a short time frame." Their usual response time can be counted in weeks to months, he noted.
New Yorker researcher Dino Di Zovie attracted headlines in April when he hijacked a Mac as part of a contest at the CanSecWest conference in Vancouver. The contest was designed to raise awareness of the threats facing Mac users, who tend to see Apple's OS as a more secure alternative to Microsoft Windows and its much-attacked Internet Explorer browser, conference organizers said at the time.
Thursday, Di Zovie said Apple deserves more credit than it has received for its security performance.
"They're definitely facing issues much faster these days," he said. "When there's a lot of press or details are publicly known they'll push out a fix more quickly. They've been doing their best."
He noted that a lot of issues are being reported to the company and that sometimes forces it into a game of catch-up. "I've reported 10-plus flaws to them and the time to fix has ranged from a year to a week," he said.