Apple Plugs More Holes in Safari

Two weeks didn't pass from the time Apple released Safari 3 beta until it issued a second round of patches for the browser. The second installment came in the form of the Safari 3.0.2 beta download announced Friday.

The patches include the latest security updates, as well as tweaks that offer improved stability "fixes for text display, non-English systems and start-up times," Apple said.

Holes for Hackers

One of the vulnerabilities repaired by the new version could have allowed for !--keyword:auto:7464-->remote code execution by hackers. This would have allowed the intruders to direct the browser to a phony Web site that could install malware on the computer running the browser. Other holes in Safari 3.0.1 could have opened the door for cross-site scripting attacks, using JavaScript code and malformed HTTP (hypertext transfer protocol).

Additionally, before the upgrade, some Safari users were vulnerable to an outsider editing information in the URL (uniform resource locator) bar. This would allow a bad Web site to appear with the address of a good one.

Many of the patches repair instability issues and performance bugs. Sometimes, for example, the unpatched version of Safari for Windows would quit while non-English users were entering information into text fields. There are improvements to the way the browser handles some Adobe (Nasdaq: ADBE) Web applications as well as Yahoo (Nasdaq: YHOO) Widgets and Google Reader.

The latest release is more adept at handling RSS (really simple syndication) feeds, empty content-type headers, and HTTP and NTLM (NT LAN, or local area network , manager) authentication. Also improved are the browser's compatibility with some processors and video cards.

Still in the Kitchen

Apple will continue to improve the browser, noting it is planning to add PAC (proxy auto-configuration) file auto-detection, FTP (file transfer protocol) directory listings, cookie management, spell-checking, and support for page numbers, titles and margins when printing Web pages, the company said.

Apple didn't waste any time in offering the patches, said David Maynor, chief technical officer of Errata Security.

"They released them in generally a short amount of time," he told MacNewsWorld. "They fixed some critical bugs in there. I'm somewhat impressed with the response time on that."

Nevertheless, he said some problems unearthed by Errata remain even in the latest Safari version. "The bugs we found are still unfixed," said Maynor.

It's Better to Beta

Apple tells prospective Safari users on its Web site that they can now "enjoy worry-free Web browsing on any computer" because "Apple engineers designed Safari to be secure from day one." Marketing department proclamations like that might be embarrassing, given the need for two rounds of patches in two weeks, but the software is still in beta, noted Maynor.

"To be honest, it's good they are releasing it in beta fashion," he said. By doing so, Apple is getting lots of valuable input from experts and making the browser as bulletproof as possible before launching the official, public version, he said.

Geoff Johnston, a Web browser expert at Visual Sciences, underscored the value of beta-testing browsers. "It sounds like Apple is doing what they should be doing," he told MacNewsWorld. "You put it out in beta, and you understand that as things get going, there are going to be problems that are discovered."

Because Apple released a Safari 3 version for Windows, it is no longer free from the hacker headaches suffered for years by Microsoft (Nasdaq: MSFT) , noted Johnston.

"Mac has always loved the fact there are a lot fewer hackers than with Widows. But now, by getting into the Windows world with this browser, Apple has opened itself up to all sorts of vulnerability issues," he said.