Safari for Windows is not a trojan horse

Yesterday, Apple announced Safari 3.0, including a new version for Windows. This announcement is discussed in an article on CNN with a particularly unfortunate turn of phrase in one quote:

“Safari is another Trojan horse that introduces an innovation of Apple to the Windows community and entices them to the Mac platform”

Now, presumably the intention of this quote was to say that Apple is bringing a gift of innovative and exciting new software to Windows users, who’ll then be lured away to the wonders of Mac-land. Much like the “halo effect” of the iPod.

But it would seem that there’s something aside from enticing software that may be coming with this gift – new and exciting software vulnerabilities!
Among the first to welcome the new Apple Web browser were vulnerability researchers. Shortly after the beta release, security forums were abuzz with talk of new vulnerabilities in this new version of Safari. At least three researchers say they have already found security holes in the new browser.

Applications have become a prime target not just for security researchers looking for vulnerabilities, but also for cybercriminals. As Microsoft has improved the security of Windows, applications that run on the operating system have become increasingly popular attack vectors. Our take has always been that Apple software, regardless of what hardware or OS it’s run on, is just as vulnerable to issues as any other software. Apple software running on Mac OS X has been less of a target because it isn’t as widely used as that running on Windows. QuickTime in particular, which is widely used by Windows users, has long been favorite of vulnerability hunters and cybercriminals. It would seem Safari could be next.

Three of the researchers that announced vulnerabilities in Safari shortly after its release are Aviv Raff, David Maynor and Thor Larholm.
These guys claim several of the vulnerabilities they found could let an attacker remotely gain complete control over a Windows computer running Safari.

Safari 3.0 is still in beta and beta software is expected to have bugs. Even after final release, browsers with vulnerabilities have become more rule than exception. Microsoft’s Internet Explorer, Mozilla’s Firefox, and the existing version of Safari for OS X, regularly get patched to fix security vulnerabilities.

What it boils down to is this: The usual advice for safe computing remains the same. Don’t assume any software is inherently safe, regardless of how safe it purports to be. Software is written by humans, and humans do make mistakes, which can lead to vulnerabilities. Make sure you’re running up to date security software and install the latest security fixes from your software vendors.