RSSUpdate to Safari browser contains 11 patches for Windows
By Scott M. Fulton, III | Published November 13, 2008, 7:32 PM
Today's round of updates to Apple's Safari contains just four patches that affect the Mac OS X edition, but eleven for Windows Vista and XP, several of which would forestall some very familiar sounding exploits.
In October 2007, users of the first-edition iPhone were treated to a Safari patch that addressed what was then considered an indication of a serious design flaw: the capability for a malicious TIFF image file to be crafted that could trigger unprivileged code to be executed. At the time, an active exploit was feared to be in the wild.
Now, a patch for a vulnerability with a very similar, if not altogether identical, profile appears in the latest version 3.2 of Safari for Windows (this particular patch does not apply to Mac OS X users). Specifically, TIFF images that have been compression using the well-known Lempel-Ziv (LZW) algorithm will now be treated with more care and concern, according to Apple's security bulletin released today.
That's one of two patches in version 3.2 that improve handling of TIFF images specifically, and five patches overall that involve malicious hijacking of image processing. Among the four patches that apply to both Windows and Mac editions is one that disables the ability for Safari plug-ins to launch local URLs without safeguards -- an ability that was identified by, and which Apple gives full credit to, Microsoft and VeriSign security researcher Billy Rios.
Last year, Rios' name made it to BetaNews by having discovered that a malformed URI handler flaw that had been attributed to Mozilla Firefox, was actually attributable to Windows.
"well-known Lempel-Ziv (LZW) algorithm"
Mr. Welch wants his credit for the algorithm also. It's LZW for a reason.
Score: 0
|Apple needs to stick with computers and leave the browser to Mozilla and Opera.
Fx runs rings around Safari in all areas and Opera is a close second or a personal choice.
'Nuff said.
Score: 0
|Can someone get rid of this guy???!!!
Score: -1
|I use Safari on my Mac, Window, iPhone - it is great! One comment: we need flash support on the iPhone asap...
my comments at http://www.commentino.com/orim
Score: -1
|Apple sucks! so does Safari. They are famous for making bloatwares like QuickTime, iTunes and now Safari to plague the world of Windows. We prefer firefox not rotten Safari!
Score: 0
|The much wiser and internetworld has arrived....I like this guy. :)
Score: 0
|That's true, Firefox is the best...period
Score: 0
|Thanks :)
Score: 0
|Wow I just love Safari 3. It has everything I want in a browser that no other browser comes close to offering. Now the world's best browser has become even more secure.
Score: 0
|ROFL Safari is the biggest steaming pile of crap of them all.
The true best browser right now is FireFox and Safari isn't even slightly close to it.
Score: 0
|Small typo:
"Specifically, TIFF images that have been compress*ed* using [...]"
Score: 0
|I heartily chuckle at the 22 MB download for the browser, and has to dl the whole thing just to patch. How very Open Office like.
Score: 0
|There are some reasons why Apple would have chosen to only do a full installer rather than a patcher.
Pros to patching:
- If the original file is copyrighted, you can still distribute modifications to it freely using patches (ROM hacks, uxtheme.dll hack).
- If the original file is large, you can reduce download size.
There are many more cons:
- A patch can only patch one specific version of a program. Multiple patches will need to be made if multiple versions are to be patched.
- If data corruption, user changes, or a virus has modified a file, the patch will no longer work. It will either detect the changes and fail in the best case, or attempt the patch and corrupt the file in the worst.
- Patch software can be difficult to program... any patch creation software has to recognize not only when data has changed, but where it has been inserted and removed, and then tie all this information into a file format, and then make a client program to detect and patch a file and determine whether the patched file is corrupt or OK. Sometimes it just isn't worth the trouble (although I'm sure there are plenty of pre-made tools which make it easier).
- You usually release the full installer anyway so...
Here's an example of upgrading without patching you may not be aware of: Windows Update. Yes they claim to use patches, but only in the sense that only specific files are updated and not the whole OS at once; but the files are REPLACED with new versions, not patches. If patches were used, then patching the TCP/IP driver to remove the half-connection limit, or patching uxtheme.dll to allow unsigned themes, or patching explorer.exe to customize the Start button text, would all cause Windows Update to fail when trying to patch these files. Instead we see the customizations removed when the file is replaced.
Also 22mb is not a whole lot, especially when you compare it with the more-like-220mb OpenOffice. That said, a patch system might benefit Safari (Firefox uses one) but most end-users won't really know or care anyway...
Score: 0
|Firefox, too, uses a "substitute just the changed files" way of upgrading, like WU.
And despite my 6Mb adsl I still think a 22MB upgrade is a lot to download...
Score: 0
|That is PURE laziness.
The Apple Updater should be able to determine--like the FF one does-- if it needs a delta change or full update.
Score: 0
|"Patch software can be difficult to program..."
This is also laziness. You don't design software without the foresight to be able to update it. Apple ignoring the ability to update 1-2 files instead of the whole package screams of sloppy, lazy programming, which is evident in their programming of itunes in general (complete bloatware, that in my opinion will bite them in the as? one day.)
Score: 0
|