Vulnerability researchers are having a grand time with the release of Apple’s Web browser Safari 3 Beta for Mac and Windows. Hours after its release June 12, independent security researcher Thor Larholm found a zero-day vulnerability relating to the URL protocol handler in the Windows version. The vulnerability specifically cites the “lack of input validation for the command line arguments handed to the various URL protocol handlers” on a Windows system. Larholm also cooked up a proof-of-concept exploit for this vulnerability.
Another independent security researcher, David Maynor of Errata Security, found 6 other vulnerabilities in the Windows version — four of these vulnerabilities could allow denial of service (DoS) attacks, while the other two could allow remote code execution on the affected system.
Citing unresponsiveness and use of marketing tactics by vendors to sugarcoat these kinds of security woes, both researchers have decided to publish their findings via their own Web sites. Both also claim that they are not selling and have no plans of selling their research to any individual or corporation.
Vulnerability disclosure is an ongoing debate among researchers, security experts, and software makers. Conflicts arise because of a lack of standard procedures to follow in vulnerability reporting, as well as in vulnerability hunting.
Safari is the third most popular Web browser, owning almost 5% of market share as of May 2007, according to NetApplications.com. As of this writing, no workarounds are available for the vulnerabilities cited. Since Safari 3 is still in its beta stage, users are advised to assess the possible effects on their machines before installing.