Apple's Safari browser likened to malware

Mozilla chief executive John Lilly has lambasted Apple for its use of iTunes to offer the Safari web browser to Windows users, saying the technique "borders on malware distribution practices" and undermines the security of the Internet.

"What Apple is doing now with their Apple Software Update on Windows is wrong," Lilly wrote on his personal blog. "It undermines the trust relationship great companies have with their customers, and that's bad - not just for Apple, but for the security of the whole web."

Mozilla makes the Firefox browser, currently the most popular alternative to Microsoft Internet Explorer with about 15 percent of the market to IE's 78 percent, according to figures cited recently by Apple. Apple said Safari currently has about 5 percent of the market, a figure the company is setting out to increase.

Indeed, in June of last year when the company announced Safari would be coming to Windows, Apple chief Steve Jobs said Apple would be using iTunes to deliver Safari to Windows users.

Lilly said he doesn't have a problem with the "basic industry practice of using your installed software as a channel for other software." Rather, it's the particular way that Apple has made use of that channel - adding Safari by default to an update mechanism normally used for updates to already-installed programs, including urgent security updates.

Apple Software Update, which is installed along with QuickTime or iTunes on Windows PCs, currently lists Safari 3.1 as a default download, already checked, alongside the latest update to iTunes.

"The problem here is that it lists Safari for getting an update - and has the 'Install' box checked by default - even if you haven't ever installed Safari on your PC," Lilly wrote.

With this particular type of mechanism, Lilly argued, it's important that users trust that the updates offered are necessary, so that they update as often as possible without really thinking about it.

"The likely behavior here is for users to just click 'Install 2 items', which means that they've now installed a completely new piece of software, quite possibly completely unintentionally," Lilly wrote. "This is wrong, and borders on malware distribution practices."

He said the practice undermines the way software makers want users to behave toward update systems, which "ultimately undermines the safety of users on the web."

Lilly said he has no criticisms of the Safari browser itself.

Apple's manner of offering Safari 3.1 was also criticized by security experts when it appeared last week along with 13 security bug fixes.

Andrew Storms, director of security operations at nCircle Network Security, warned that Apple "has to be careful" releasing such extensive security updates.

"Safari may not have any more bugs, and fixes, than IE and Firefox, but unleashing a giant package like this is going to create worry among users. When you release a dot-release version and it comes with a motherlode of vulnerabilities, that can bring down the favorable relationship that Apple has with its users," Storms said.

The new Safari, which Apple proclaimed "the world's fastest web browser for Mac and Windows PCs," fixed the same 10 flaws in the Mac and Windows editions, and three more in Safari for Windows XP and Windows Vista. Most of the 13 vulnerabilities were cross-site scripting bugs.