Test Center: How secure is Safari?

Apple's Web browser has many good protections, but lacks security zones, granular controls, and strong cipher support

Apple's Safari, released for the Windows platform in June 2007, is the second newest browser on Windows, behind Google's Chrome. (Naturally, Apple's browser also runs on OS X, and on iPhone and iPod Touch devices in a mobile edition.) Safari leads the pack in anti-phishing filtering and pop-up blocking, but it also has many security weaknesses.

Safari can be freely downloaded from Apple's Web site, and it is offered as an opt-in download option through Apple's Software Update program, which is installed with other Apple software, including iTunes and QuickTime. After Safari is installed, Software Update checks for Safari patches once a week using a Task Scheduler job.

[ See also the security reviews of Firefox, Internet Explorer, Google Chrome, and Opera. For more on browser security and protection against Web-borne threats, see the Security Adviser blog and "Test Center: Browser security tools versus the evil Web." ]

The Safari installer also installs a service called Bonjour, which allows Apple programs to advertise themselves and discover other Bonjour-compatible programs on the local network. Bonjour is used to automatically configure printers, hunt for file sharing opportunities, and find instant messaging peers, and it allows Safari to discover additional Web pages on the local network. In general, most security experts are wary of auto-discovery programs like Bonjour, and Bonjour itself has been involved in at least three known exploits. Bonjour is not essential to Safari's functionality and can be disabled.

Windows Safari
The Safari executable is not User Account Control (UAC)-aware on Windows Vista computers, but Vista automatically elevates permissions for the install because the word "setup" is in the name (potentially, if Vista's heuristics detection functionality is disabled, the install could fail). On Windows Vista, Safari runs as a single process (Safari.exe) with DEP (Data Execution Prevention) disabled, a security negative shared only by Opera; ASLR (Address Space Layout Randomization) enabled; and file system and registry virtualization enabled, all with a MIC (Mandatory Integrity Control) level of Medium. In comparison, the rendering processes of both Internet Explorer and Google Chrome run with the more secure MIC setting of Low.

Safari is a full-featured browser, with common security features, including pop-up blocking, private session browsing, and an anti-phishing filter. The pop-up blocking is among the best, and the anti-phishing filter is the most accurate among the browsers I tested (Internet Explorer, Firefox, Google Chrome, and Opera). Java, JavaScript, and plug-ins can be turned off on a global basis. As with most browsers (Firefox and IE being notable exceptions), Safari provides no security zones in which to place Web sites of varying degrees of trustworthiness, or to enable or disable functionality on a per-site basis.

Safari always automatically prompts for approval before downloading files, and prevents some high-risk files (.exe's, .scr's, etc.) from being executed before downloading. Safari also has good default cookie control. It is the only browser among those I tested to prevent all writes by third-party cookies by default, which is a nice privacy bonus (and no doubt frustrating to ad vendors).

On Mac OS X systems, Safari's passwords are protected by Apple's Keychain password management system. But even on Windows, Safari's locally stored passwords are well protected. As in Internet Explorer, stored Web site passwords are never displayed. However, Safari took dead last in remote password handling, passing only 2 of 21 tests on the Password Manager Evaluator Web site.

Settings and ciphers
An optional menu called Develop (which replaces the previous Debug menu option) can be added to the menu bar to speed up Web page development testing, but it also has significant global security impacts. The Develop menu allows the user to quickly open a current Web page in another installed Web browser or to change User Agent strings on the fly (to see how the change affects Web page rendering). Installed plug-ins can be viewed -- but not enabled or disabled -- via an option under Safari's Help menu.

You can disable images, CSS (which have been involved in more than a few exploits), and JavaScript on a global basis. Disabling JavaScript prevents many malicious Web sites from functioning, but it's no panacea. Even with JavaScript disabled, one of the most obnoxious malicious Web sites I tried still managed to kick-start more than 40 instances of Safari in a few seconds, resulting in a de facto DoS attack on the test machine.

Safari is weaker than its competitors in several areas regarding digital certificates and SSL/TLS (Secure Sockets Layer/Transport Layer Security) traffic. Initially, in SSL/TLS negotiations, TLS with RSA and weak 128-bit RC4 keys are offered first and second in the cipher order. Worse, ECC (Elliptical Curve Cryptography), AES (Advanced Encryption Standard), and 256-bit keys are never offered as potential cipher choices; further, MD5 is offered first and more frequently than SHA-1, when it should be the other way around. It would seem that Apple hasn't been paying attention to crypto developments over the last few years.

Safari does warn of invalid digital certificates, but it isn't nearly as "in your face" as the other top browsers. It warns only once with a small pop-up message, whereas competitors literally change the entire Web page to red or multicolored warnings. Come to think of it, maybe Safari has it right: better to display one warning than many for a single problem. But then Safari fails to highlight the true domain name, as IE and Chrome do, making it more difficult to tell phishing sites from the real thing. Safari does point out Extended Validation (EV) certificates, as do all of its competitors.

Hunting and phishing
Safari passed all of my browser and JavaScript security exams, negotiating my predefined lab trials, test suites on the Internet (including scanit and Jason's Toolbox), and real-world exposure to known-malicious Web sites without allowing any malware to be automatically installed (Safari's competitors fared just as well). The most malicious DoS Web site locked up Safari and the host machine, just as it did the other browsers, but Safari succumbed more quickly than the rest. Safari also fails to stop malicious URL moniker launches, used by attackers to automatically start helper applications they hope to exploit.

When Safari was first released, Apple touted the new browser as a secure alternative to Internet Explorer. As with all Internet Explorer alternatives, Safari's lack of native support for ActiveX controls does provide users with some protection, and its strong anti-phishing filters are also a plus.

But security is not Safari's strong point. Unfortunately, 26 separate vulnerabilities have been announced since March 2008, one-third of which would allow complete system access. Plus, there simply isn't a lot of security granularity to Safari. Security-minded users will have to decide if Safari's poor cipher support, lack of security zones, and absence of enterprise features for mass deployment and control can be overcome by its aesthetic benefits.

Copyright © 2009 IDG Communications, Inc.

How to choose a low-code development platform