Just as he did when Safari for Windows first arrived, Aviv Raff immediately went to work on Chrome yesterday to find it’s vulnerabilities. Because Chrome is based on Webkit, the same application framework as Safari, it shares some of the same flaws.

As reported by Macworld, a recent interview with Michael Barrett, PayPal’s chief information security officer, reveals that “Apple, unfortunately, is lagging behind what they need to do, to protect their customers”. Barrett also said, “Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera”. Barrett went on to explain:

“Unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites, Barrett said. Another problem is Safari’s lack of support for another anti-phishing technology, called Extended Validation (EV) certificates. This is a secure Web browsing technology that turns the address bar green when the browser is visiting a legitimate Web site.”

Apple representatives weren’t immediately available to comment on this story.

The iPod Touch has officially been cracked to allow third party applications to be installed. This is something Apple definitely did NOT want. The main part of the process is a TIFF exploit found in Safari. When the browser is pointed towards http://jailbreak.toc2rta.com (full instructions may be found here), Safari crashes and the door is open to begin the iTouch “Jailbreak” hack. This is NOT the first security vulnerability found in Safari.

Just 3 days after it’s initial beta release, Apple already has a software update available for Safari.

“Changes in Safari 3.0.1 for Windows beta: Latest security updates”

Safari for Windows had only been released a matter of hours before “security researchers” began hammering away at it.

Thor Larholm wrote a PoC exploit in just 2 hours, and shared his method and thoughts in “Safari for Windows, 0day exploit in 2 hours“. The attack can use an installed Firefox application and the Gopher URL protocol (other “attack vectors” besides these could be available), but the actual vulnerability is provided by Safari. Thor also provides a direct link to a page that WILL crash your Safari browser on Windows just to demonstrate!

Aviv Raff was able to locate a memory corruption by running Hamachi (”a community-developed utility for verifying browser integrity, written by H D Moore and Aviv Raff”). More can be found at “Apple Safari for Windows - Out with a crash“

David Maynor found 6 bugs (4 DoS and 2 remote code execution), and reported them in his appropriately named article: “Niiiice…“.