While Apple's marketing information suggests Safari has been "designed to be secure from day one," security experts Aviv Raff, David Maynor, and Thor Larholm found otherwise -- in some cases simply by opening a malicious Web site in Safari.

Bloggers Unveil Issues

Writing on the Errata Security blog, David Maynor said on Monday that using "publicly available tools," he and associates found "six bugs in an afternoon; four DoS and two remote code execution bugs." DoS refers to a denial-of-service attack in which packets of data can overwhelm and then crash a computer.

The bugs work not only on the Windows version of Safari, Maynor wrote, but also on the version for Apple's OS X. "Same code base for a lot of stuff," he said.

Maynor said that his disclosure policy was to "give vendors as long as they need to fix problems." But "if the vendor is unresponsive" or makes threats, he wrote, after 30 days he will release the full details. In any case, he said, the information on the vulnerabilities will not be sold to a third party.

Thor Larholm, on his blog Larholm.com, wrote today that, within two hours of downloading, installing, and using Safari for Windows, he found a "fully functional command execution vulnerability, triggered without user interaction simply by visiting a Web site."

He pointed out that Safari was originally designed for tight integration with OS X, but "the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur." When Apple released Safari for Windows, he noted, the company neglected to implement Windows-specific URL protocol handlers. The result is that a malicious user can "break out of the intended confines and wreak havoc."

On his blog, aviv.raffon.net, Aviv Raff said that he found "memory corruption" that "might be exploitable," although he added that he'll "have to dig more to be sure of that."

Apple has not reacted to the reports about security flaws in Safari.

Some Consolation

Some user comments on the blogs were critical of Apple, but others were more generous. "It's beta, remember? Of course it has bugs," commented one visitor to Avi Raff's blog. Another added that Safari is running on an OS that "is not fit," meaning Windows.

The beta version of Safari for Windows was announced Monday by Steve Jobs during his keynote address to the Apple Worldwide Developers Conference in San Francisco. He also announced that Safari would be available in a full version for the upcoming iPhone, and that developers would be able to create "Web 2.0 applications" that run on Safari for the iPhone.