Safari 3 Beta Updated, Security Problems Fixed

Llywelyn writes "Apple has released an update to the Windows Safari 3 Beta. According to Macworld the updates '...include correction for a command injection vulnerability, corrected with additional processing and validation of URLs that could otherwise lead to an unexpected termination of the browser; an out-of-bounds memory read issue; and a race condition that can allow cross-site scripting using a JavaSscript [sic] exploit.' It is available through either the Apple Safari download site or through Apple's Software Update."

Well!

[drhamad (868567)]

It's about time! ;) What took them so long!

Re:

[vijayiyer (728590)]

Which is why "features" are not necessarily a good thing, and platform independent code is.

Re:Well!

[CheeseTroll (696413)]

I've found that a lot of web developers just don't realize which items are truly platform-independent, and which ones are not, until they test them and find out that some break. Formatting can be temperamental, as well. Just because a site is perfectly functional, doesn't mean it *looks* as good on other platforms without some adjustments.

Re:Excellent! Just one more thing...

[curunir (98273)]

The whole review misses what I believe is the point of the release entirely. They approach it from the point of view of a user who would be using it as their default browser. But I don't think Apple is really trying to win significant market share on PC browsers.

What they do want, however, is for developers to test their pages in Safari, not just FF and IE. Until the release, many developers used the fact that they couldn't run Safari on their development platform as a reason for not testing in Safari. Since Safari's CSS rendering is very compliant, most pages that render well in FF also render well in Safari. But Safari's JavaScript engine has a lot of quirks that developers won't catch unless they actually test in Safari. With the proliferation of AJAX-enabled sites out there, it's becoming more common for Mac Safari users to hit pages that just don't work for them. This is what Apple is trying to prevent.

But now that Safari is available in Windows (and hopefully Linux will follow), developers can easily test that their pages will work for Mac Safari users, even if they don't choose Safari as their default browser. This release many have lots of warts, but it's plenty good enough to fire up a couple of times a day to make sure that a specific site works.

Re:

[aztracker1 (702135)]

Given that Safari (Apple Web Kit) is based on KHTML (Konqueror), you can use Konqueror in Linux to get a decent grasp of where you stand with Safari... I know that AWK has deviated for KHTML, and back changes take a while to, if ever, get into the KHTML code base, it is still a decent reference point...

Personally, I would much rather have seen the Apple guys throw their support behind the Gecko engine, and Camino. It's not that KHTML/AWK is a bad browser base, I just think it would have been easier to u

More about the iPhone than the web

[Overly Critical Guy (663429)]

It's not so much that Apple wants developers to test their websites in Safari as much as it is they want to give Windows developers a WebKit platform in which to test web apps, since apps will be running in Safari on the iPhone.

Horrible International Language support

[by Anonymous Coward]

Downloaded and tried to open websites in Chinese. The rendering is just horrible, unreadable and totally unacceptable. Texts are not where they should be. In this sense, this Safari is even not as good as IE 4, which could display such webpages well. I heard that, (didn't try), Safari could not open most webpages in non-western languages.

Re:Horrible International Language support

[nevali (942731)]

The issue there is that Mac OS X's own international character support does all the hard work for the applications: they don't generally need to worry about it. On Windows, it's a very different story, which means it'll take Apple more than a couple of days to make WebKit/Win32 deal with it all as elegantly as it does on OS X.

Re:Horrible International Language support

[nevali (942731)]

NT handles Unicode character storage and manipulation just fine, yes.

Unicode font rendering (automatically selecting the a font which contains a particular character, because generally no font contains all Unicode characters, and if one did exist, it probably wouldn't be the text font in use) is a different matter altogether.

Mac OS X does sane font substitution when faces don't include a particular character. On Windows, AFAIK, typing a Japanese glyph when using a font that doesn't support that code point will result in the square block--on the Mac, the type renderer will find the closest visual match (in terms of style) for a font that does include the code point and use that for those glyphs.

Re:

[stephentyrone (664894)]

Works perfectly in safari 3 on a mac. Windows bug?

Re:

[Altus (1034)]

As another poseter pointed out, the handling of international character sets is different on windows than on the mac so its not surprising that something works properly in the mac version of safari and not in the windows beta. Obviously apple will need to fix these issues, but its not surprising.

Naturally

[Diordna (815458)]

I'm your average rabid Apple fan, but surely they had to have a fix at least this fast to keep from looking stupid. I doubt they'll be as quick in the future.

Re:

[99BottlesOfBeerInMyF (813746)]

I doubt they'll be as quick in the future.

Sure they'll be this quick in the future, right up until it leaves beta, then they'll actually have to do full regression tests which will take longer and have a turn around time aout the same as the Mac version.

It always amazes me when I hear people complaining about bug fix times from vendors who take between one and six weeks to get a bug into production. Those are normal turn around times assuming the vendor starts work immediately on a development/testing cycle for a large, production software proj

Re:

[jp10558 (748604)]

Part of it seems to be that Safari has some bugs that break benchmarks:
http://www.howtocreate.co.uk/safaribenchmarks.html [howtocreate.co.uk]

I wonder if...

[Ant P. (974313)]

Konqueror's Win32 release will be as big a disaster.

Re:I wonder if...

[ArsonSmith (13997)]

There are far too many sites that just don't function in Safari for me to use it. Whether it is Safari's fault or the sites fault is not of importance, it works in Firefox, not in Safari.

Re:

[TheRaven64 (641858)]

Really? I have the opposite experience. I occasionally try FireFox because people tell me how much better than Safari it is. It integrates horribly with the rest of OS X (e.g. doesn't use KeyChain for passwords, so I have to manually transfer info over, even though Safari, Opera and OmniWeb all manage to use the same store), but apart from that, the rendering of sites is just bad. As an example, Blogger entries often have text run together so it's unreadable. The only sites I've had any problems with i

Re:

[jp10558 (748604)]

Indeed, the web should not force users into a platform or a browser choice. If Firefox works great for you - great, but I find Opera works much better for me, and others will like Safari. The original designs of the web strived to let people focus on the user agent UI that works for them in competition, but all show the content in some manner.

I'd like to continue pushing for that. Otherwise, we all will be pushed back to Windows and IE (well, some browser/os combo).

Now if they would fix the text problem...

[norminator (784674)]

Now if they would just fix the problem that some people (including myself) are having where no text shows up anywhere in the application and you can't type in any of the text input fields (kind of hard to use a browser when you can't type in an address).

Re:Now if they would fix the text problem...

[Henry V .009 (518000)]

Yes, I've got this problem on my Vista install at work. Clicking the little spider icon to report the bug crashes the program.

Mini-review of Safari on my home Vista install: The non-standard Windows UI is annoying. If I wanted to resize only from the bottom right corner I would have bought a Mac. The lack of an advertisement blocker makes the software a poor alternative to Firefox. The bundling is annoying. I don't want Quicktime. Quicktime is ugly, ugly software. It makes Firefox crash, grabs all sorts of MIME types, throws its icon up on the desktop every time it updates no matter how many times you delete the icon, it installs a systray icon (for a media player?!? come on), and it won't play full screen videos. ITunes is only a good media player if you own a Ipod. Don't want that either. The Apple update service is annoying as well. Why a separate service? I want my apps to check for updates when I start them or not at all.

Good points? Well, Safari displays web pages, I guess. Good for Apple.

Re:Now if they would fix the text problem...

[Goaway (82658)]

If you didn't want QuickTime bundled, why did you select to download the version that bundles it?

Security is not the big problem

[MBoffin (259181)]

Fixing the security issues may help in keeping Apple from looking foolish, but security is not the real problem with Safari for Windows. The real problem with Safari for Windows that Apple should be putting focus on is the user experience.* It's horrendous. Slow window redraws, completely broken Windows conventions, a total lack of extensibility, and on and on.

As a web developer, I'm pleased as punch that they've released a Windows version of Safari that renders pixel-for-pixel the same as the OS X version (it really does, I checked). However, Safari on Windows is not even in the running as far as being a candidate as a full-time browser on Windows. The user experience is simply too painful.

* I didn't say they should not focus on security. They most definitely should.

Awesome, now I can read /. again!

[Jugalator (259273)]

No wait... [imageshack.us]

But maybe it's just as good to not have any sensationalist headlines to mislead you? :-p

Why so negative on Safari???

[Wingsy (761354)]

I've used it on Windows XP Pro. A friend has been using it on Vista. Neither of us can find a single thing wrong with it in 2 days of browsing (even to my bank, the acid test of browsers). The LA Times reviewer recommends it. ComputerWorld praises it. But here on Slashdot about all I see are people giving it a thumbs down. Am I seeing a bit of bias here? Someone direct me to a web page that Safari 3 on Windows XP renders horribly. Please, I wanna see.

Gee

[sid0 (1062444)]

they haven't fixed [rec-sec.co.il] all the vulnerabilities yet.

Re:Gee

[trolltalk.com (1108067)]

Which policy would you rather your OS vendor have:

1. Wait for the monthly "patch Tuesday"
2. Close vulnerabilities ASAP

Consider this - this is just a "preview" product - and not even on "their" platform. Its good publicity. They're handling the vulnerabilities the same way Tylenol handled the poisoned pill problem - actively, instead of with their head up Gates/Ballmer's rear end going "no problemo".

Patch Tuesday...

[sid0 (1062444)]

...is there for a reason [wikipedia.org].

Though I really would prefer vulnerabilities fixed asap, I can see the reason for Patch Tuesday, especially for non-0day exploits.

Safari 3.0.1, however, is just damage control.

Re:

[644bd346996 (1012333)]

Patch Tuesday would be a very asinine idea for a beta product. If patching costs are a problem even for your limited beta deployment, that's just because you suck at updating software.

Safari being the partly-OSS product it is, it might be a good idea for Apple to release weekly or nightly builds. That could generate quite a bit of attention for Safari/Windows, because people would recognize "beta" as an ongoing process.

Take your tinfoil hat off, man

[sid0 (1062444)]

First: complex software written for use on a wide variety of configurations WILL HAVE BUGS. I just don't see any way around it. This has nothing to do with competition. OS X in the past 2 months has had a huge number of patches, hasn't it? That too, with a BSD based kernel and a much smaller hardware base.

Second: Not every bug is a showstopper. Even if a bug is found after code freeze, it might be better to release a patch separately. You know, like those "errata" sheets of paper in books.

When a patch is released the vulnerability *has* to be disclosed! That means sysadmins would run around trying to keep systems up to date the whole month.

I agree that more out of cycle patches should be released for serious vulnerabilities that are being exploited, but I see nothing wrong with the Patch Tuesday method otherwise.

Mistakes are not bugs.

[trolltalk.com (1108067)]

Calling them "bugs" is a way for us to avoid blame for making mistakes, either in the code itself or in the processes we use to plan and implement that code.

Calling an error a "bug" makes it sound like it could have crawled in there on its own. ("Gee, I don't know how that bug got in there. I'll fix it.")

It didn't just crawl in there on its onw, and its not a feature or a bug, its a mistake, pure and simple. And someone made it.

We (hopefully) learn from our mistakes. Labelling them "bugs" makes it les

Re:

[TheRaven64 (641858)]

I've not used Ubuntu, but I imagine she'd think 'the stupid machine's broken again. I'd better call my grandson and get him to fix it,' just as she would when her Windows machine or Mac broke.

Re:Bugs reported one day, fixed the next.

[by Anonymous Coward]

In the interest of having a viable stable platform for iPhone development, they're going to have to keep up this quick turnaround on defect resolution. As someone mentioned a couple of days ago when Win Safari was first released, they're also going to have to work really hard for this software to compete with other browsers (which many think it can't). While I agree that it's an impressive turnaround, for Apple's sake, I hope they can keep up the momentum.

I disagree

[WrongSizeGlass (838941)]

As someone mentioned a couple of days ago when Win Safari was first released, they're also going to have to work really hard for this software to compete with other browsers (which many think it can't).

I may be wearing my ass as a hat, but I honestly don't see Apple expecting Safari to compete in the Windows browser market. It is my (potentially asshattian) opinion that Safari is available on Windows solely for the purpose of providing a testing environment for iPhone development for Windows developers. It's never going to take over the Windows browser market (or even made a serious dent).

Having Safari available on Windows removes the 'Apple Only' hardware requirement for any company who wants to develop Web 2.0/AJAX applications that run on the iPhone which opens Safari development to a much much larger pool of developers.

Re:

[edmicman (830206)]

Not trying to troll, I really have been wondering this. I keep seeing Safari touted as an iPhone development environment, but it's all supposed to be Web 2.0/AJAX/etc. But isn't making an AJAX web page cross platform by nature? Why couldn't you develop on Firefox or IE? And if it's not, if it's Safari-only, how is that any different than IE-only websites that everyone hates?

Re:

[Sancho (17056)]

The web was also supposed to be cross-platform. But poor implementations of specifications blow that out of the water. You have to work around bugs in CSS/Javascript implementations if you want medium-high complexity features in your pages. No doubt being unable to test iPhone apps on Windows would simply kill the 3rd party software market.

Re:Bugs reported one day, fixed the next.

[jellomizer (103300)]

I think Apple just wants a solid #3 Browser Spot. That way when people test their webpages they will check 3 browsers IE, Firefox, Safari. Before safari for windows Web Developers needed a Mac to test Safari. Thus making #3 Opera. With with the bulk of Mac People using Safari and a modest Windows people (because once it is finalize it will be shipped with Quicktime and iTunes.) So some people will try it and like it better then IE. So it could be a solid #3 and probably more tested for compatability on web pages... Now with websites better designed for Safari it would make the migration to Macs one more step simpler. (fear of compatibility of web pages) I doubt that Apple has plans to make a profit with Safari for windows but more of a case to make sure they don't get left out in the loop. Apple is realistic, they realize not everyone wants or will get a Mac. But they feel if more people given the choice they would actually prefer one. Offing Safari, iTunes, QuickTime for Windows makes sure that these are also well supported to in real life allowing apple to maintain control on the global standards. Otherwise companies of new technologies could forget about Apple. Say make a codex that there is no QuickTime port. or a webpage that doesn't work with Safari. It is all about keeping control on their interests.

That goes without saying

[Nymz (905908)]

Gee, 1-day service. Sounds like Apple is a lot more serious about security fixes than Microsoft.
(but then again, we already knew that)

Yep, sounds like the choice of browser will be obivious. Slashdot should publish statistics of which browsers are used by Slashdotters to view Slashdot.

Re:

[WrongSizeGlass (838941)]

Yep, sounds like the choice of browser will be obivious. Slashdot should publish statistics of which browsers are used by Slashdotters to view Slashdot.

Here you go:
* .01% - Safari (Windows)
* .02% - Opera (All)
* 03% - Cowboy Neal (Windows)
* 14% - Internet Explorer
* 19% - Cowbow Neal (Linux)
* 22% - Safari (Macintosh)
* 35% - FireFox (Windows)
* 99% - FireFox (Linux)
* Profit!

Re:Browser Statistics

[WrongSizeGlass (838941)]

That is one large group of browsers, as 192.03% of anything is pretty big.

Well, we are talking about Web 2.0 (which should equal 200% IIRC). I guess I forgot
* 7.97% - Other

Anyone have a download link to the latest version of Cowboy Neal?

I'd post it again, but I don't want to receive another DMCA takedown notice.

Actually, you don't have to give out your email ID

[sid0 (1062444)]

Just don't fill in that field. :P

Re:not worth it

[nevali (942731)]

Er, you don't have to give an e-mail address to download it, just to sign up.

Leave the box blank and the check-box ticked and it still downloads.

Re:

[LWATCDR (28044)]

"it's likely to just disappear and not make it back onto my machine the next time I reinstall Windows."
How often do you have to reinstall Windows?
I am not a big Windows fan but I go years between reinstalls without any problems.
I only do a reinstall when I get new System or a new Drive.

Re:not worth it

[paanta (640245)]

it's likely to just disappear and not make it back onto my machine the next time I reinstall Windows.

Best advertisement for OS X I've seen all day. :P

Re:I dont care what you say

[Baricom (763970)]

I think the reason's pretty simple: companies like Google have been abusing the "beta" moniker lately. The betas I've seen from Apple (including Safari and earlier, Quicktime 7) have been more consistent with what I would consider a beta: they mostly work and are useful for testing, but still have significant problems.

Perhaps what they might have done is require an Apple Developer Connection account to download instead of making it available through general release.

Re:

[MBCook (132727)]

OK. Here is what I think. I use Safari as my main browser on my Mac which I use for all personal computing. It's a nice browser. I started using it to try it, and I've stuck with it. I'm happy with it for the most part.

Now I've tried it on Windows. It's cute. Even if it was perfect, it wouldn't replace FireFox because at this point I'm addicted to FlashBlock on my work PC. Things I use often have annoying flash ads and the computer isn't that fast in the first place. I'm glad it's there, and if I was going

Re:

[dantheman82 (765429)]

I think this is BS. Tried running Safari at work and with a simple proxy, every time I enter anything and press OK, the program crashes. Then I press Cancel and cannot browse. By going to Edit => Preferences, the ability to change Proxy Settings has been disabled.

I give the Safari Browser a 0/10 for now. There's also the annoying issue of closing the application behind it when clicking in the corner of the screen when it's maximized. It doesn't close Safari, but whatever window was behind it. I'

Re:

[nevali (942731)]

If they've carried the keystrokes over from the Mac version, it'll be Cmd+Shift+[ and Cmd+Shift+], which on windows would be Ctrl+Shift+[ and Ctrl+Shift+]

Re:

[3.14159265 (644043)]

But you already get simplicity, speed, and security with Opera.

Re:

[Wingsy (761354)]

I've read elsewhere about that awful blurry text problem, compared to what FF & IE render in Windows. So I fired them both up side by side, to the same page, and I see exactly what you mean. It IS blurry! In fact, it is so blurry it no longer looks like it's been printed on a dot matrix printer. Really, viewing the two side by side, I cannot believe that anyone can read the pixelated FF page better than the font-smoothed Safari page. It ain't blurry, it's just got the jagged corners removed. Much more r

It's not a bug

[Overly Critical Guy (663429)]

Apple renders fonts to match the accuracy of the glyphs so that they resemble what they would look like in print, important for desktop publishing. Windows happily renders fonts inaccurately so that they're 1-pixel thin and packed into a pixel grid.