Three Vulnerabilities In Safari…. Apple Will Only Fix 1…. WTF?

Apple loves to brag about Safari’s security by saying “Apple engineers designed Safari to be secure from day one.” (Go to and click on security on the left side). But people keep finding holes in the browser that according to some are really serious.

Take Nitesh Dhanjani for example. He’s a security researcher who found three vulnerabilities in Safari and reported them to Apple. They in turn said that they would only fix one that they considered to be critical. As for the other two? He was told that Apple will look at them, but they will not do anything about them at this time. It’s a good thing that he wrote about these two issues in his blog for all to see. I’m guessing that Apple will do something about them now that they’re in the public eye.

If you take a look at these issues, these are things that according to him things that other browsers handle but Safari does not. So one could argue that Safari is lacking in some functionality that Internet Explorer and Firefox have. That bothers me. That’s also the reason why Firefox has been my default browser on my MacBook Pro for as long as I’ve had the machine. It appears that something I said in this blog some time ago is coming true. Apple is making decisions that makes that “more secure than Microsoft” aura disappear. Which means that all the momentum that Apple has been gaining is at risk. All it takes is one high profile exploit using one of those issues (or some other issue that we know nothing about) for things to come tumbling down around them.

5 Responses to “Three Vulnerabilities In Safari…. Apple Will Only Fix 1…. WTF?”

  1. i’m an actual IT guy. I work in a mixed environment, and in the real world, I have to give the XP sp2 (and now 3) machines a douche, at least once a year. Macs are dual 2.0ghz G5s (the macs far outnumber the PCs)

    guess which ones i have to clean for viruses?

    in his own blog it says that some of them are more feature set requests than anything else.

    That headline, talking about that blog, is pure troll. Even the theme of this website hates you.

  2. Lawrence Says:

    The so-called vulnerability is that Safari doesn’t ask EVERY STINKING TIME if you want to download something? Are you telling us that IE and Firefox users don’t turn this stupid dialog box off the first time it appears? Are you telling us that you yourself just love this dialog box and happily click “OK” thirty thousand times a day? Are you THAT stupid?

  3. So far have you encounter any issue with the 2 supposed vulnerabilities mentioned if not stop nit picking.
    BTW the biggest problem relating to any vulnerability is your good self for clicking on the icon and visiting unfamiliar siites and downloading stuffs from there.

  4. Part of the issue is that Safari is designed for OS X users and for Windows folks only as an afterthought. The behavior this guy is requesting might be useful for Windows XP or Panther (10.3), but it would make no sense for either Vista or Tiger/Leopard since they track downloaded executables and warn you accordingly.

    If you double-click a downloaded app on Mac OS X, you’re warned it was downloaded, and given a chance to visit the website it came from. Under Leopard, its icon is shown as a crossed-circle over a faded app until you’ve authorized it. Under Vista you’re constantly nagged whenever you try to launch anything not installed the authorized way, so again, this would just be an extra, pointless nag.

    The problem with Vista and the mentality behind it is that by crying wolf so often it causes the user to automatically dismiss warning dialogs and miss the important ones. Apple has tried to keep warnings to an absolute, useful minimum, so that users neither automatically dismiss them or are tempted to disable them.

  5. Juan Carlos de Burbon Says:

    I am all for Safari spreading malware onto PCs. That’s a feature, not a bug.

Leave a Reply

%d bloggers like this: