March 30, 2009, 10:41 AM — When security researcher Charlie Miller hacked the Mac through the Safari browser in under 10 seconds last week, the question raised was deafening: Is Apple Safari secure? The answer, of course, is a bit more complicated.
For the second time in as many years, Miller took control of a Mac to win the CanSecWest's PWN2OWN contest. Both times, Miller found a way inside through a fully patched Safari browser. Three other browsers, including market leader Internet Explorer, also fell later in the competition.
[ Safari 4 beta roared out of the gate last week but still has a long way to go in the enterprise, CIO reports. | Find out everything you ever wanted to know about browser security for Safari, Internet Explorer, Firefox, Opera and Chrome. ]
Among techies, Safari lags behind popular browsers in its security prowess. Safari is the only major browser without data execution prevention, which helps prevent buffer overflows, says Roger Grimes, a product reviewer for sister publication InfoWorld. "It's just inexcusable," Grimes says. "The entire world also supports the advanced encryption standard except Apple -- and that means something."
Greater market share leads to a security culture
Part of the problem, say industry watchers, is that Apple doesn't have a very strong security culture. In comparison, other companies like Microsoft have spent years creating a security development lifecycle, or SDL, whereby every software coder has been trained in security and every product undergoes a rigorous inspection process both internally and externally with contract hackers.
"In general, Apple does not have a great track record in the security of its code, and Safari follows that tradition," says Gartner's John Pescatore. When it comes to security, adds Grimes, "Safari is the weakest of the major browsers."
The reason companies like Apple are slow to build security into their products and culture is because "security doesn't sell anything," says Grimes. "The most secure product rarely wins." When a product such as the Mac gains market share, security becomes more important. In fact, new kinds of Trojans and cross-platform exploits are now taking aim at the Mac, which means Apple will have to change its attitude about security. Apple could not be reached for comment.
For Safari, critical mass that moves the dial toward better security measures is still a long ways off. In a recent Forrester survey of 50,000 enterprise users, Internet Explorer boasted 78 percent market share compared to Safari's paltry 1.4 percent.
Secure browsers are a moving target
All the major browsers at CanSecWest's PWN2OWN contest fell this year, which shows just how difficult it is to build a secure browser. A browser is one of the most complex, hard-to-secure pieces of software running on your desktop. "Since browsers are literally a window to the Internet, they are extremely vulnerable to malicious code masquerading as a plug-in, applet or application," says Jon Oltsik, analyst at the Enterprise Strategy Group. "Things like Javascript and Flash are particularly good threat vectors."
To be fair, Safari is strong in the areas of anti-phishing filtering and pop-up blocking. "Safari isn't bad in itself," Oltsik says. "Two things are happening here: Developers don't know how to write secure software, and there are a ton of openings that researchers and hackers can poke at to find vulnerabilities."
Yet in the real world, a technically secure browser may not matter much. In a corporate setting, for instance, a browser like Safari, Internet Explorer or Firefox would likely be locked down and therefore less vulnerable, Oltisk says. Moreover, the vast majority of successful attacks have nothing to do with the security built into the browser but the fallibility of the end user. People just don't do a good job of patching software and are often tricked into running malicious executables.
"Suppose there's a year when Safari has no bugs," meaning the Apple security team did its job perfectly, says Grimes, "it probably won't affect the [success rate] of malware at all." That's because most of the exploits today, Grimes says, take advantage of end-user folly, not browser security shortcomings.
