Safari 3 Beta Updated, Security Problems Fixed

Llywelyn writes "Apple has released an update to the Windows Safari 3 Beta. According to Macworld the updates '...include correction for a command injection vulnerability, corrected with additional processing and validation of URLs that could otherwise lead to an unexpected termination of the browser; an out-of-bounds memory read issue; and a race condition that can allow cross-site scripting using a JavaSscript [sic] exploit.' It is available through either the Apple Safari download site or through Apple's Software Update."

Naturally

[Diordna]

I'm your average rabid Apple fan, but surely they had to have a fix at least this fast to keep from looking stupid. I doubt they'll be as quick in the future.

Re:Bugs reported one day, fixed the next.

[Anonymous Coward]

In the interest of having a viable stable platform for iPhone development, they're going to have to keep up this quick turnaround on defect resolution. As someone mentioned a couple of days ago when Win Safari was first released, they're also going to have to work really hard for this software to compete with other browsers (which many think it can't). While I agree that it's an impressive turnaround, for Apple's sake, I hope they can keep up the momentum.

Re:not worth it

[LWATCDR]

"it's likely to just disappear and not make it back onto my machine the next time I reinstall Windows."
How often do you have to reinstall Windows?
I am not a big Windows fan but I go years between reinstalls without any problems.
I only do a reinstall when I get new System or a new Drive.

Re:Gee

[trolltalk.com]

Which policy would you rather your OS vendor have:

1. Wait for the monthly "patch Tuesday"
2. Close vulnerabilities ASAP

Consider this - this is just a "preview" product - and not even on "their" platform. Its good publicity. They're handling the vulnerabilities the same way Tylenol handled the poisoned pill problem - actively, instead of with their head up Gates/Ballmer's rear end going "no problemo".

Re:Patch Tuesday...

[trolltalk.com]

Patch Tuesday is there because Microsoft can't compete. It has nothing to do with the "cost" of patching, and everything to do with the "cost" of shipping a buggy product.

Simple economics:

1. Ship buggy product - lock customers in, customers bear cost of patching
2. Fix bugs - delay shipping product, forego revenue

Re:Bugs reported one day, fixed the next.

[jellomizer]

I think Apple just wants a solid #3 Browser Spot. That way when people test their webpages they will check 3 browsers IE, Firefox, Safari. Before safari for windows Web Developers needed a Mac to test Safari. Thus making #3 Opera. With with the bulk of Mac People using Safari and a modest Windows people (because once it is finalize it will be shipped with Quicktime and iTunes.) So some people will try it and like it better then IE. So it could be a solid #3 and probably more tested for compatability on web pages... Now with websites better designed for Safari it would make the migration to Macs one more step simpler. (fear of compatibility of web pages) I doubt that Apple has plans to make a profit with Safari for windows but more of a case to make sure they don't get left out in the loop. Apple is realistic, they realize not everyone wants or will get a Mac. But they feel if more people given the choice they would actually prefer one. Offing Safari, iTunes, QuickTime for Windows makes sure that these are also well supported to in real life allowing apple to maintain control on the global standards. Otherwise companies of new technologies could forget about Apple. Say make a codex that there is no QuickTime port. or a webpage that doesn't work with Safari. It is all about keeping control on their interests.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Well!

[vijayiyer]

Which is why "features" are not necessarily a good thing, and platform independent code is.

Re:I disagree

[edmicman]

Not trying to troll, I really have been wondering this. I keep seeing Safari touted as an iPhone development environment, but it's all supposed to be Web 2.0/AJAX/etc. But isn't making an AJAX web page cross platform by nature? Why couldn't you develop on Firefox or IE? And if it's not, if it's Safari-only, how is that any different than IE-only websites that everyone hates?

Re:Well!

[rainman_bc]

Wow fanboi mods are at it again eh... How they mod you Troll I have no idea.

C'mon folks, compared to Firefox it is very much void of features. But compared to Firefox most everything is void of features.

Re:I wonder if...

[ArsonSmith]

There are far too many sites that just don't function in Safari for me to use it. Whether it is Safari's fault or the sites fault is not of importance, it works in Firefox, not in Safari.

Re:I dont care what you say

[dantheman82]

I think this is BS. Tried running Safari at work and with a simple proxy, every time I enter anything and press OK, the program crashes. Then I press Cancel and cannot browse. By going to Edit => Preferences, the ability to change Proxy Settings has been disabled.

I give the Safari Browser a 0/10 for now. There's also the annoying issue of closing the application behind it when clicking in the corner of the screen when it's maximized. It doesn't close Safari, but whatever window was behind it. I've done this 2-3X.

I have a Macbook, so I'm not Apple, but I'm saying Safari is a POS from my perspective right now.

Re:I disagree

[Sancho]

The web was also supposed to be cross-platform. But poor implementations of specifications blow that out of the water. You have to work around bugs in CSS/Javascript implementations if you want medium-high complexity features in your pages. No doubt being unable to test iPhone apps on Windows would simply kill the 3rd party software market.

Mistakes are not bugs.

[trolltalk.com]

Calling them "bugs" is a way for us to avoid blame for making mistakes, either in the code itself or in the processes we use to plan and implement that code.

Calling an error a "bug" makes it sound like it could have crawled in there on its own. ("Gee, I don't know how that bug got in there. I'll fix it.")

It didn't just crawl in there on its onw, and its not a feature or a bug, its a mistake, pure and simple. And someone made it.

We (hopefully) learn from our mistakes. Labelling them "bugs" makes it less likely we'll take personal responsibility for them; hence more likely to make the same mistake the next time than if we were honest with ourselves and said "I screwed up - that's a mistake."

Sure, calling it a bug might sooth our egos (we don't have to admit we made a mistake - the program is just "buggy"), but really, are our egos that easily bruised that we can't own up to our mistakes?

Re:Excellent! Just one more thing...

[curunir]

The whole review misses what I believe is the point of the release entirely. They approach it from the point of view of a user who would be using it as their default browser. But I don't think Apple is really trying to win significant market share on PC browsers.

What they do want, however, is for developers to test their pages in Safari, not just FF and IE. Until the release, many developers used the fact that they couldn't run Safari on their development platform as a reason for not testing in Safari. Since Safari's CSS rendering is very compliant, most pages that render well in FF also render well in Safari. But Safari's JavaScript engine has a lot of quirks that developers won't catch unless they actually test in Safari. With the proliferation of AJAX-enabled sites out there, it's becoming more common for Mac Safari users to hit pages that just don't work for them. This is what Apple is trying to prevent.

But now that Safari is available in Windows (and hopefully Linux will follow), developers can easily test that their pages will work for Mac Safari users, even if they don't choose Safari as their default browser. This release many have lots of warts, but it's plenty good enough to fire up a couple of times a day to make sure that a specific site works.

Re:Of course.

[TheRaven64]

I've not used Ubuntu, but I imagine she'd think 'the stupid machine's broken again. I'd better call my grandson and get him to fix it,' just as she would when her Windows machine or Mac broke.

Re:Well!

[CheeseTroll]

I've found that a lot of web developers just don't realize which items are truly platform-independent, and which ones are not, until they test them and find out that some break. Formatting can be temperamental, as well. Just because a site is perfectly functional, doesn't mean it *looks* as good on other platforms without some adjustments.

More about the iPhone than the web

[Overly Critical Guy]

It's not so much that Apple wants developers to test their websites in Safari as much as it is they want to give Windows developers a WebKit platform in which to test web apps, since apps will be running in Safari on the iPhone.

Controlling the media

[Jeremy_Bee]

Safari 3.0.1, however, is just damage control.

Not "damage control," "media control."

I am surprised that not a single slashdot comment that I can find is stating the obvious, which is that this is "wag the dog" kind of stuff.
The patch was released almost too fast, what's the odds that it was already written?

Think about it. Apple releases an essentially identical, standards compliant browser on both Mac and Windows. Then it turns out that it's a security problem on Windows because of the foolish way in which Windows does not validate the URL. They then release a patch less than 24 hours later that allows them even more media coverage, exactly on that point. At the same time they get kudos for responding so fast.

Now on the day of the release (well half a day anyway), the press is all bad. But then comes dozens of articles about the fact that the problem is actually with Windows, not with Safari itself. Apple then gets to point out this fact in spades by mentioning in the press release that it was "windows fault and if you were on the Mac there is no need to worry." How good is that? :-)

To all those thinking Apple was embarrassed by the security flaws, your missing the bigger picture. A week from now no one will remember anything about that.

They will however remember that Apple fixed the "Windows problem" with Safari in less than 24 hours.

I think this whole exercise is a statement by Apple, a dig at windows specifically. They are not only showing Microsoft up by besting their best efforts in a browser, they are pointing out (again), that Windows is just less secure by design, as well as horribly non-compliant in terms of open standards. Even on the Mac, the main reason for Safari's existence has always been to promote the existence of open standards and open standard compliant browsers. What better illustration of that need could you get than this?

Re:I wonder if...

[jp10558]

Indeed, the web should not force users into a platform or a browser choice. If Firefox works great for you - great, but I find Opera works much better for me, and others will like Safari. The original designs of the web strived to let people focus on the user agent UI that works for them in competition, but all show the content in some manner.

I'd like to continue pushing for that. Otherwise, we all will be pushed back to Windows and IE (well, some browser/os combo).