Safari 3 Beta leaves systems vulnerable to remote attack

It looks like while you can download the beta of Apple’s Safari 3 browser for Windows, you probably shouldn’t.

Security experts have been busily testing the software - hailed as twice as fast as IE7 and found a number of instabilities and, more worryingly, exploit vulnerabilities that could see websites run multiple commands on unsuspecting users’ systems. In less than two hours an exploit was coded that could trigger software on a remote system and run commands.

“In view of the fact that Apple is using the security of the Mac browser as an advertising point, it is particularly shocking just how simple the bug is. Larholm opens the following form using an IFrame:

myprotocol://someserver.com/some”[space]argument

The quote mark followed by a space slips an additional parameter into the protocol handler’s program call. With a few finishing touches a web page can use this to run its own commands on a visitor’s system” - heise Security

I’ve no doubt that Apple wil continuously upgrade and tweak Safari in the run-up to a full release, but right now it’s hard to recommend to anyone.

Check the whole article after the jump. [heise Security]