Apple's Safari into imperfection

It was the big announcement at the end of Steve Job's keynote speech at the WWDC apple users conference - Apple was to release a Windows version of its Safari browser. Safari is allegedly faster than all of its Windows competitors. However, users whose curiosity has been piqued should wait a little longer. It's really not worth it at present.

Safari on Windows looks familiar to Mac users. In our quick test under Windows XP the program still seems to be pretty unstable. For example, if you try to access the bookmark manager, Safari crashes. Users who try to send a request using the Google entry field will also experience a crash. Safari also appears to be unable to display bold or italic text in non-English language versions of Windows - a problem of software localisation demonstrated by tests carried out by the c't editorial team, who found that Safari does not experience this problem on an English language version of Windows. Overall, however, Safari appears to have huge problems displaying various websites under both English and other language versions of Windows.

Safari fails to render bold text under the German language version of Windows In many other areas it also shows signs of having been cobbled together in a hurry. Users wanting to take a look at the licensing information, for example, will see the message "Safari is missing important resources and should be reinstalled," which is hardly likely to inspire confidence. Attempts to call up the help function are also in vain.

Such problems are annoying, but what makes the browser really dangerous are the many security vulnerabilities. Security expert Thor Larholm claims he needed just two hours to create an exploit for a bug in Safari allowing him to start arbitrary programs. In view of the fact that Apple is using the security of the Mac browser as an advertising point, it is particularly shocking just how simple the bug is. Larholm opens the following form using an IFrame:

myprotocol://someserver.com/some"[space]argument

The quote mark followed by a space slips an additional parameter into the protocol handler's program call. With a few finishing touches a web page can use this to run its own commands on a visitor's system.

Other security experts such as Aviv Raff and David Maynor have also put their fuzzing tools on the case and have found a whole series of bugs which at least crash the browser.

Safari under Windows is certainly good news in principle. Web designers now have a WebKit browser available under Windows to test their web pages, users have an additional user-friendly browser with an RSS reader available. It would, however, have been fair of Apple not to classify the browser as a beta version, i.e. software which is sufficiently stable to supply to a wide range of users for testing. The current version of Safari is at best an alpha release, i.e. an application which should be provided to a restricted group of testers at most.

(mba)