The Mac Observer

Skip navigational links

DealsOnTheWeb Daily Deal: OneCall's Weekend Sale - 20 Great Items at Great Prices All Weekend Long

Safari for Windows Beta Hammered for Being Beta

by , 1:25 PM EDT, June 13th, 2007

Apple released a public beta of Safari 3 for Windows XP and Vista on Monday, and it didn't take long for people to find problems with it. Not long after that, people were calling Apple to task for releasing beta software is that, exhibited problems rendering along with potential security related issues.

So far, most of the complaints relate to security issues. Security researcher Aviv Raff found a potential security flaw right away. He commented "A first glance at the debugger showed me that this memory corruption might be exploitable. Although, I'll have to dig more to be sure of that. Again, this is just a beta version.. But, don't you hate those pathetic claims?"

David Maynor, another researcher, was able to produce a memory corruption error. "I'd like to note that we found a total of 6 bugs in an afternoon, 4 DoS and 2 remote code execution bugs," he said.

Security researcher Thor Larholm found what he called a "zero day exploit" within a couple of hours. He said "I downloaded and installed Safari for Windows 2 hours ago, when I started writing this, and I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a web site."

Of course, finding flaws like these now is preferable to finding them after Apple releases the final version of Safari 3 for Windows. The problem is that while researchers sift through Safari looking for bugs and security holes, some users have forgotten that "beta" means the software is still in development, and issues are bound to crop up.

Blogger News Network offered a typical reaction to Safari 3 for Windows beta. Nancy Reyes wrote "Living here in the Philippines, we get 'virus' infections all the time on our computer. So I was happy to hear that yesterday, Apple Corporation released a new webbrowser for windows systems [sic]. Ah, wonderful. Maybe this one will keep my computer from getting sick."

Relying on applications that are still clearly in a development and testing phase is likely to reveal problems ranging from stability and performance issues, and leading all the way to security related flaws. Publicly available beta software is so common now that many people seem to have forgotten beta doesn't mean "finished and ready for every day use."

Observer Comments

Show: Subjects Only | Full Comments
View Name:Guest
Subject: It's Beta inflation!
View Name:Guest
Subject: Not even beta quality
Close Name:Engine Joe Posts: 412 Joined: 29 Jun 2004
Subject: Oh, please...

Alpha releases are downright unusable. Safari for Windows isn't unusable.

View Name:Guest
Subject: Web vs Desktop Beta
View Name:Guest
Subject:
View Name:Guest
Subject: Re: Not Even Beta
View Name:Guest
Subject: Beta is as beta does
Close Name:macslut Posts: 60 Joined: 03 Sep 2004
Subject: Here's why Apple did right...and why idiots are ruining it.

This is *BETA*. It comes with warnings. It is publicly available, but it was announced and released at a DEVELOPER's conference.

Safari for Windows is perfectly fine as a beta development browser.

This means that you don't even install it on a mission critical machine or use it for critical tasks specifically including instances where stability and security are an issue.

A bunch of idiots who don't understand what beta means are ruining it for web developers who want beta browsers to be available so that they can make sure their web development is compatible with new browsers. The same is true for 3rd party add-on developers.

Safari for Windows greatly exceeds this minimum threshold for being beta release worthy.

Close Name:Sir Harry Flashman Posts: 627 Joined: 08 Feb 2007
Subject: A question for you programmers on this blog

How much of the security problems with the Windows version is Safari related and how much is Windows related?

That being said I think Apple should have released the beta version of Safari under the Apple Developers Program. It is going to get a bad reputation out there when any Tom, Dick, or Harriet can download it and have beta related problems.

I installed it on my HP and it works okay. I will get a chance to test it more in a few days.



Last edited by Sir Harry Flashman on Wed Jun 13, 2007 3:40 pm; edited 1 time in total
Reply | Quote
View Name:Guest
Subject:
View Name:Guest
Subject: Yes
Close Name:Staggie Posts: 21 Joined: 06 May 2004
Subject: It sure has a Beta-sized memory leak on XP

I had Safari open in the background with four open tabs and it was using just under 500 MB of memory. I like being able to use Safari on my work system, but for now it's just not ready.
I think a beta to Developers only would have made a lot more sense, per Sir Harry. It's just not at the point that is should be available to the general public, even as a beta.

Close Name:Biff Posts: 1479 Joined: 08 Apr 2004
Subject:

Quote
Staggie wrote:
I had Safari open in the background with four open tabs and it was using just under 500 MB of memory. I like being able to use Safari on my work system, but for now it's just not ready.
I think a beta to Developers only would have made a lot more sense, per Sir Harry. It's just not at the point that is should be available to the general public, even as a beta.
And when you closed, I dunno, lets say 3 of those tabs, did the memory usage not drop somewhat proportionally? Or alternatively, did the memory usage continue to increase without you opening any more pages? If not, then its probably not a memory leak and Safari is just a memory hog at the moment. If it is a huge memory leak, both Apple and I would appreciate it if you could report it to them using the Bug button. It sounds like you can reproduce it pretty easily, so include those steps in your bug report. Believe me, they will be very happy if you found a memory leak for them to fix.

View Name:Guest
Subject: Disappointed
Close Name:LaurieF -   TMO Forum Mod Posts: 3498 Joined: 15 Jun 2001
Subject:

Caveat utilitor. For you it's unusable, sure. For many it is not. Probably, and this is the whole point of beta testing, the squeaky wheels will get the oil. Those people who have no problems probably won't report that it's working fine. Did you tell Apple that Boot Camp is without a glitch?

I suggest you report the problems you are having to Apple, so that it knows about it. Apple will love you for it.

PR disaster? taint Safari for Windows forever? Have you been taking your hyperbole pills again?



Last edited by LaurieF on Wed Jun 13, 2007 7:23 pm; edited 1 time in total
Reply | Quote
View Name:Guest
Subject: i don't know how you could get to this conclusion
View Name:Guest
Subject:
Close Name:gslusher Posts: 2043 Joined: 13 Nov 2002
Subject: Not just developers

Quote
Sir Harry Flashman wrote:


That being said I think Apple should have released the beta version of Safari under the Apple Developers Program. It is going to get a bad reputation out there when any Tom, Dick, or Harriet can download it and have beta related problems.


That might not get it really tested under Windows. One of the big problems Windows applications have is the mind boggling array of CPUs, graphics cards, sound cards, etc. that are running Windows. The only way to really test it is to let a lot of people with a wide variety of hardware use it. It will also more likely show up problems that arise from user errors--we ordinary folks are more likely to make such errors than developers.

Betas should go to the user community, not just experts.

Close Name:daemon Posts: 308 Joined: 17 May 2007
Subject: Safari

I used Safari on Windows XP today. I have to say, I didn't notice any difference in safari's speed over internet explorer. I loaded in to each www.wotmania.com, www.youtube.com, video.google.com, and www.tomshardware.com on different tabs (I normally surf with between 5 to 10 browser windows open) and found that they each seemed just as responsive as the other. I checked my memory load and noticed one strange thing, IE had 68 megs of memory used and safari had 140 megs of memory used. As far as looks go, safari looked like it had all the text bold face compared to IE's normal, which aethetically didn't please me, and it seemed to show colors darker than IE. As far as features go, like all non IE XP browsers it wasn't able to take advantage of the premium extentions of exchange server 2003's web interface, and it lacked the capability to zoom in on a webpage, a feature that I have a huge love for in IE 7.0.

All in all, it's an alright browser, I don't think I'll use it much tho.

View Name:Guest
Subject: Perhaps it's that slick Apple advertising blurb....
Close Name:Bosco Posts: 999 Joined: 03 Jun 2002
Subject: Is it a Windows problem?

Quote
Sir Harry Flashman wrote:
How much of the security problems with the Windows version is Safari related and how much is Windows related?


None. The browser basically has a few tasks. The first is to communicate with remote servers. For this, it uses the platform's TCP/IP stack. Expect that stack to be pretty robust because if it wasn't, it would exploited routinely for everything. The second task is to parse the HTML code returned by the server. The third is to display the pages and interact with the user. Exploitable code usually suffers from one of two problems: null (or garbage) pointer dereferencing and (a special case of the first) array dereferencing out of bounds. These kinds of problems creep in when programmers aren't cautious, consistent, and thorough.

Frankly, most programmers (especially C wizards) aren't defensive enough and even see defensive programming as being a giant programming pussy. That's the best way to describe it. It's why the idea of millions of eyes from open source or pair programming for agile development are not guaranteurs of quality. These processes reinforce common wisdom, not best practices.

It's also why I see development environments like REALbasic that make it difficult for the programmer to make those errors (or insulate against their effects by having checks against such errors embedded in the frameworks) creating more reliable products. When you work at a higher level of abstraction, you avoid lots of potential security problems. Performance doesn't have to take a significant hit if you know what you're doing and if you can isolate performance specific code in plugins written in C. That also isolates your potential security problems.

Close Name:Sir Harry Flashman Posts: 627 Joined: 08 Feb 2007
Subject: Gott a disagree

Quote
gslusher wrote:
That might not get it really tested under Windows. One of the big problems Windows applications have is the mind boggling array of CPUs, graphics cards, sound cards, etc. that are running Windows. The only way to really test it is to let a lot of people with a wide variety of hardware use it. It will also more likely show up problems that arise from user errors--we ordinary folks are more likely to make such errors than developers.

Betas should go to the user community, not just experts.


The hoi poli won't do "testing" and they won't report back to Apple. They may try it and if it doesn't work they will at the very least stop using it, but will probably bad mouth it to all and sundry. The Windows software developers are another story.

But yeah, the myriad of Windows box configurations is a problem.

Close Name:gslusher Posts: 2043 Joined: 13 Nov 2002
Subject:

Quote
daemon wrote:
I used Safari on Windows XP today. I have to say, I didn't notice any difference in safari's speed over internet explorer. I loaded in to each www.wotmania.com, www.youtube.com, video.google.com, and www.tomshardware.com on different tabs (I normally surf with between 5 to 10 browser windows open) and found that they each seemed just as responsive as the other.


Unfortunately, that's not a good way to test browser speed, as it depends very much upon the Internet response, which can change from second to second. The best way to test browsers is to load pages from your hard drive. One way to come close to this is to:

1. Clear the browser's cache.

2. Load a fairly complicated web page, but not one that has dynamic content (e.g., ads that change every few seconds). Do not use a site like YouTube, which does change every time you access it.

3. Close that page and quit the browser. (Also quit any other applications you have running.)

4. Open the browser and go to the SAME page, precisely--use the history menu.

What this does is to load all the images, CSS, javascripts, etc., into the cache. When the page is loaded a second time, your browser should get all that from the cache, rather than downloading it.

An even better way would be to download an entire page, including all images and other stuff, then clear the cache, quit and relaunch the browser, and open the page you downloaded, from the hard drive, not from the Internet.

Close Name:doogie Posts: 12 Joined: 21 Sep 2004
Subject: Haven't Tried it on Windows ...

... but I'm liking it on my MBP.

I really like the new Find command, the faster speed and spell check in text boxes! I haven't found any problems yet, but I haven't been trying to break it. I've simply been using it. It works.

I wish it hadn't broken Acid Search, but I imagine that this will be fixed. I use it all the time, so I hope it's fixed soon!

View Name:Guest
Subject: overloaded claims will get you burned
Close Name:LaurieF -   TMO Forum Mod Posts: 3498 Joined: 15 Jun 2001
Subject:

We're doomed, Captain Mainwaring, we're doomed!

Bloody troll - what's your point?

I'm a software developer. I do a lot of unit testing, because I like a quiet life. But there's a point at which I can test no further, because I've exhausted all the possible (and impossible) things that can go wrong. At that point I pass it over to the testers, and there follows a number of (hopefully few) "D'oh" moments. I go back, fix the problem up, and it goes back to the testers with promises on both sides of beer for failure. That's how the Software Development Life Cycle works.

This is a beta test. It says so when you download it. Jobs said it's Beta - that's a fact. He said it's the best browser available - that's marketing.

Get a grip.

Close Name:coaten Posts: 2971 Joined: 10 Oct 2001
Subject:

Quote
LaurieF wrote:
We're doomed, Captain Mainwaring, we're doomed!

Bloody troll - what's your point?

I'm a software developer. I do a lot of unit testing, because I like a quiet life. But there's a point at which I can test no further, because I've exhausted all the possible (and impossible) things that can go wrong. At that point I pass it over to the testers, and there follows a number of (hopefully few) "D'oh" moments. I go back, fix the problem up, and it goes back to the testers with promises on both sides of beer for failure. That's how the Software Development Life Cycle works.

This is a beta test. It says so when you download it. Jobs said it's Beta - that's a fact. He said it's the best browser available - that's marketing.

Get a grip.


You know, in all my years of watching Dad's Army, it had never occured to me that Captain "Mannering" would be spelled in what I assume is an old-English form. But of course, it is!

Oh, and yes, it's a beta, dude... get over it.

Close Name:Intruder -   TMO Mac Specialist Posts: 2924 Joined: 07 Jul 2004
Subject: RE: overloaded claims will get you burned

You mean like Bill Gates claiming that Vista is "dramatically more secure than any other operating system released"?

Those kinds of overloaded claims?

If you can't see marketing for what it is, then there really is no hope for you.

Close Name:Terrin Posts: 357 Joined: 29 Jan 2006
Subject:

I have mixed feelings on that. Mac users understand the concept of a Beta. I am using Safari 3 on my Mac, and it solves a bunch of minor issues with the previous version, so I am glad I did not have to wait. Especially when I have no known bugs. I am also running a four year old Mac.

I might agree with you about releasing it as a Windows Beta. However, I think the problem is more the way Apple released it. It is already marketing it as the best and fastest browser. Jobs should have said Apple intends for it to be the best and fastest browser when released. Apple also should make it more clear when people are downloading Safari exactly what Beta means. Many people do not know. Apple should also make it more clear that many of the plugins are needed to make the browser functional.

For what it is worth, I installed it painlessly on my girlfriend's XP machine. The only issue was I had to install some plugins. However, she has been using it exclusively since Monday, and hasn't complained of any bugs yet. It is also interesting to note that she is studying online for the Nursing Exam using Kaplan. Firefox had issues using some of Kaplan's calculator functions, so much so that she had to use Explorer instead. Safari has not had the Firefox problems.


Quote
Sir Harry Flashman wrote:
How much of the security problems with the Windows version is Safari related and how much is Windows related?

That being said I think Apple should have released the beta version of Safari under the Apple Developers Program. It is going to get a bad reputation out there when any Tom, Dick, or Harriet can download it and have beta related problems.

I installed it on my HP and it works okay. I will get a chance to test it more in a few days.

Close Name:daemon Posts: 308 Joined: 17 May 2007
Subject:

Quote
gslusher wrote:

Unfortunately, that's not a good way to test browser speed, as it depends very much upon the Internet response, which can change from second to second. The best way to test browsers is to load pages from your hard drive. One way to come close to this is to:


Oh, you're completely correct, I mean, whenever I browse the Internet I always want last week's macobserver page and I don't want the current news, just stuff I've already read. /sarcasm

Quote

1. Clear the browser's cache.

2. Load a fairly complicated web page, but not one that has dynamic content (e.g., ads that change every few seconds). Do not use a site like YouTube, which does change every time you access it.

3. Close that page and quit the browser. (Also quit any other applications you have running.)

4. Open the browser and go to the SAME page, precisely--use the history menu.

What this does is to load all the images, CSS, javascripts, etc., into the cache. When the page is loaded a second time, your browser should get all that from the cache, rather than downloading it.

An even better way would be to download an entire page, including all images and other stuff, then clear the cache, quit and relaunch the browser, and open the page you downloaded, from the hard drive, not from the Internet.

Close Name:gslusher Posts: 2043 Joined: 13 Nov 2002
Subject:

Quote
daemon wrote:
Quote
gslusher wrote:

Unfortunately, that's not a good way to test browser speed, as it depends very much upon the Internet response, which can change from second to second. The best way to test browsers is to load pages from your hard drive. One way to come close to this is to:


Oh, you're completely correct, I mean, whenever I browse the Internet I always want last week's macobserver page and I don't want the current news, just stuff I've already read. /sarcasm


Get rid of the sarcasm. It's unbecoming. The question is to test BROWSER speed, irrespective of the speed of your Internet connection. Loading random pages, especially without clearing the cache, tells you very little.

In a similar vein, when comparative speed tests are done on computers, standard tasks are used, like applying a Gaussian blur to a large image in Photoshop, sorting a large database, running a standard series of calculations, etc. When testing printer speeds, a set of standard pages is used.

It's about controlling variables--the fewer uncontrolled/unknown variables, the more accurate the test--the more it reflects the inherent speed of the software and/or hardware or whatever you're trying to test.

Close Name:daemon Posts: 308 Joined: 17 May 2007
Subject:

Quote
gslusher wrote:

Get rid of the sarcasm. It's unbecoming.


No.

Quote
The question is to test BROWSER speed, irrespective of the speed of your Internet connection.


Wait, are we talking about application load time here or user experience while browsing the internet? Because I thought the 2 times faster thing was supposed to be browsing the internet.

Quote
Loading random pages, especially without clearing the cache, tells you very little.


It's like you're trying to make sense, but failing.

Quote
In a similar vein, when comparative speed tests are done on computers, standard tasks are used, like applying a Gaussian blur to a large image in Photoshop, sorting a large database, running a standard series of calculations, etc. When testing printer speeds, a set of standard pages is used.

It's about controlling variables--the fewer uncontrolled/unknown variables, the more accurate the test--the more it reflects the inherent speed of the software and/or hardware or whatever you're trying to test.


You see, I think there's something you're missing here. I was testing the subjective speed of both browsers to me as I used them concurrently. Neither had the pages I was loading up cached.

View Name:Guest
Subject:
View Name:Guest
Subject:
View Name:Guest
Subject: