Safari for Windows Could Threaten OS X, iPhone and Apple's Image

Published on by Jim Mendenhall

Safari Windows InstallerAs you’ve probably heard, Apple has released a version of their Safari web browser for Windows. A lot has been said about why Apple would do this (my bet is that Jon Gruber is right and it’s about the $$$ that Apple will generate from Google searches), about how fast it truly is, and about why on earth anyone would want to run Safari on Windows. These are interesting topics of discussion, but I think the most important issue is what this release will do for Apple’s security. I think that releasing Safari on Windows presents a risk not only to Windows users but also to Mac OS X and iPhone users. Here are a few thoughts that came to mind when I heard the Safari on Windows announcement.

This puts Safari in the territory of the bad guys

With the release of Safari for Windows, Steve Jobs has placed key Apple software squarely in the sights of the world's black hat hackers and script kiddies. Security researchers and hackers, who have always been annoyed with Apple's arrogant claims of security, now have direct access to pound on Apple software on their own turf. Within hours of the release, security researchers are already finding vulnerabilities "popping out like hotcakes". Some of these vulnerabilities are reported to also work on the production version of Safari for OS X.

Safari on Windows becomes a huge attack surface

If Jobs and company manage to get just a tiny percentage of the current iTunes users to switch to Safari, we could soon have millions of people surfing the web with Safari on Windows. With iTunes, Apple has seen its share of vulnerabilities, but iTunes is not on the front lines when it comes to the virus/malware wars. The browser is the front line of defense against internet vulnerabilities, after all it's the thing you use to browse the internet! Just ask Microsoft and Mozilla, securing a browser is no easy business and requires constant patches and vigilance. So far, Safari has not been much of a target for hackers, but if Apple successfully doubles or triples its market share, Safari will become a much more appealing target - no more "security by obscurity."

This move could compromise Mac OS X and iPhone security

The core rendering engine for Safari is called Webkit. Webkit was originally taken from the open source KHTML browser engine and is now used as the core HTML and JavaScript rendering engine not only for Safari but for Dashboard, Mail, and many other OS X applications. Safari and Webkit are also central to the iPhone. Apple is even telling developers to develop for the iPhone with Safari. I'm afraid the bad guys will soon be targeting OS X software and possibly the iPhone from the comfortable surroundings of their Windows machine. It's entirely possible that an exploit found in Webkit on Windows could be exploited in OS X Mail or the iPhone.

Apple can be very slow at releasing bug fixes

Safari Windows CrashTraditionally, Apple has very slow turnaround times for fixing bugs. Symantec recently reported that in the second half of 2006 "there were 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes." This slow response time for releasing security fixes is simply unacceptable in the current, often hostile, Internet age. Microsoft has addressed this problem over the last few years by throwing more developers and money at Internet Explorer. Apple most likely does not have as much money to throw at Safari development as Microsoft and it may prove difficult for a handful of developers to track down and quickly fix Safari for Windows bugs. Mozilla generally gets patches out much quicker due to its strong open source community. While Apple has made a small attempt to lure developers to Webkit, it seems only half heartedly open source. One gets the feeling that it's only open source because it has to be, not because Apple really wants community support and involvement.

Safari for Windows could damage Apple's reputation

Talk of security vulnerabilities in Apple products will only damage Apple's image of being secure. These days, many people assume that Apple is more secure than Windows. If the news is suddenly (and consistently) filled with news of Safari security problems, this assumption could quickly change. In short, Apple is opening themselves up to a lot of potentially very bad press.

Apple's track record with iTunes and Quicktime does not give me hope

Apple has a practice of developing new iTunes and Quicktime releases in complete secrecy (sometimes even keeping information from their own support staff). They generally release applications immediately after some keynote by Steve Jobs. In the past year, there have been many problems with iTunes upgrades crashing computers and iPods. Customers are often left out in the cold as even Apple tech support has yet to see the new version. I can tell you that it's annoying when your iPod crashes, but if this practice is carried over into Safari releases, it could prove much worse than annoying.

This is BETA software but is being pushed like the final product

Steve was quite clear when he said that Safari 3 is a beta right now. Beta generally means that it's not ready for production use and should be used with caution. Recently, the word "beta" has been attached to every piece of software that people want to push to the mainstream but where they want an easy excuse when things go wrong (Gmail for example). Apple is not treating Safari 3 like beta software! It has placed Safari 3 in prominent locations all over the Apple website including the home page. Pushing buggy software out the door to millions of users is just not a good idea and increases the chances that the bad guys will find holes.

These are just some ideas that came to my mind. Hopefully Apple will figure everything out and all my security fears will be proven wrong. Well, I guess we can hope.

June 14, 2007 Update:

Looks like Apple is staying on top of the bugs. They've already released Safari for Windows 3.0.1. Keep up the good work Apple!