Safari for Windows, Mac, and probably iPhone found to have tons of security holes

As noted here and many other places, Safari turns out to be full of security flaws at least some of which are in the production (2.0.4) version as well as the 3.0 "beta" (it doesn't show beta in its About box).

Safari on Windows is proving pretty buggy for me, it doesn't save preference changes among other things. (Ironically, it crashes when I try to view a MacWorld Blog page complaining about the uninspiring announcements at WWDC.) Personally, I think it's nice to see security flaws in Safari exposed because, hopefully, Apple will be forced to fix them. The nastiest exploit I've seen tricks Safari into running arbitrary command lines under Windows (via cmd.exe).

Some nice information on Leopard's under-the-hood improvements

HardMac notes that Leopard has many improvements under the hood including UNIX-03 compliance, multicore optimization of network layers, automatic TCP optimization, and security features such as sandbox options for applications and notifications of an application having been altered since it was installed.

Strange Omissions

Rumor has it that, at least initially, the iPhone will lack Flash support -- argh! (Even the Wii has Flash support.) Yes, that is disappointing, but it doesn't explain why Apple's email announcement to people, like me, who signed up for news on the iPhone's release doesn't mention web browsing.

Oops.

But the really sad omission is...

It really looks like the iPhone SDK non-announcement is a little hasty. Yes, you can develop perfectly good 3rd party apps for the iPhone using a web server, but no, Apple hasn't added some perfectly obvious bells and whistles to make this seamless:

1. There appears to be no way, out of the box, to "bookmark" or "force cache" a page and make it launch directly from the main menu.
   
2. The Safari UI doesn't appear to be hideable (yes, the address bar auto-hides after a period of non-use, but it needs to be possible to hit all trace of the browser from JavaScript or something).
   

Technically, these are minor omissions and easily fixed, but boy would they have made great demos (versus the glorified phone book app that was shown).

Build a simple game using DHTML. Make it 480x320. Go there with your browser. Click a button to "appify" it. Boom. Third party game app. (And then demonstrate how it automatically updates the cached version when appropriate.)

Go to Google documents and "appify" it. Boom. You have a real word processor on your iPhone.

These are low hanging fruit, and it's rather lame that Apple didn't have at least one moderately cool demo to show.

Uh oh, AAPL is down $4

In general, when Wall Street responds poorly to Apple announcements it's a sign either that Apple's announcements were lame OR that Wall Street doesn't understand the implications. Remember that the iPod announcement was received with yawns (including from me) and so was AppleTV. We'll see.

Going back to my reaction to the announcements at WWDC 2006 (last year), it still seems to me that Time Machine is a killer feature. Just ship it and have it not suck and I'm sold. Stacks is also a killer feature. At last, your desktop can actually look pleasant without constant maintenance. (It's sad how much time I waste clearing up my desktops on both Mac OS X and Windows.) I should point out that the Apple Menu and Tabbed Finder windows in OS9 are long overdue for replacement, but stacks do appear to be a very well thought out replacement.

Quick Look may or may not turn out to be amazing. It really depends on what documents are supported and how easy it is for third parties to build their own lightweight plugins (e.g. if I can preview 3d models from, say, Cheetah 3D via Quick Look, that would be great, but how likely is that?) Quick Look is eminently hackable though -- write a Quick Look plugin to do screen casting, for example (since it's unclear whether that functionality is available in iChat AV as implied).

The DVD player functionality looks like a really compelling feature, especially for the Mac Mini as home entertainment center. At last, one of the two most annoying things about DVDs (skimming through them to find something) appears to have been clobbered. Now all we need is a MENU button that can bypass ads.

Spaces looks like it will be amazing. I've got a license to Virtual Desktop somewhere (one of several free and shareware virtual screen apps for OS X) and I gave up using it long ago. For something like Virtual Desktop software, incredible attention to detail (like perfect Exposé integration and muting games in hidden screens) is essential, and this is where Apple can make a great concept that doesn't quite work available to everybody.

Again, the devil is in the detail. Yes, Vista has automated backups. So does the Mac. Do you think that this is the same as Time Machine? It's like when Apple added outline font support at OS level back with System 7 saying "hey, Windows has fonts too".

"Web Apps Are Not Applications" Rogue Amoeba

Some developers aren't terribly pleased by Apple's announced option for those wishing to develop iPhone applications.

The original post is simply sarcastic, but this response (strongly agreeing with the original post's sentiment) sums up the poster's point of view:

Apparently if we want to develop for the iPhone, we have to be web developers, and develop web apps. Saying we can develop "Web 2.0 apps using AJAX" is just a nice way of saying "No 3rd party apps and no 3rd party widgets."

Just like if you really want to develop Cocoa apps, you can't write them (easily) in Logo, Visual Basic, C#, or Pascal.

They're right, of course, Web Apps aren't Applications.

• They don't need to be installed
  
• Or kept up to date
  
• Or moved from machine to machine when you suddenly need to go on a road trip
  
• Or uninstalled when not needed
  
• They don't support multiple users either (a) not at all or (b) as an afterthought
  
• They can't crash the machine they're running on, only the browser
  
• A rogue web app can't format your hard disk, or turn your iPhone or computer into a bot
  
• They can be written using a huge variety of tools and languages, many of which are childishly simple to learn
  
• "Hello, world" is only a few bytes longer than the ASCII string. There's no 20MB .NET runtime.
  
• They don't need to be recompiled to run on different platforms, although they do need a little tweaking.
  

To allow third party development for the iPhone Apple needs to provide a development and runtime environment that:

1. is safely sandboxed so that third-party apps can't compromise the iPhone's stability,
   
2. has the power to communicate with central servers, and
   
3. has some kind of mechanism for distributing and updating itself
   
4. and has all the usual capabilities of handling user interaction, drawing pictures, and so on
   

Safari has all of these things. It runs on HTML, CSS, JavaScript, and Flash, which can be generated by server code written in any language you like, including C++, LISP, Cobol, and Eiffel. Go for it.

Now, Apple could build this from scratch or it could use something that already exists. Since Apple doesn't have, say, a managed code environment like .NET to throw at the problem, the other glaringly obvious option is Web 2.0 etc. Which is what they picked. Sure, this limits what you can do in your application ... I don't think anyone has written a 3d animation package in JavaScript yet, so I guess that's going to be a stretch.

Don't want to sully your hands with Perl -- fine. Code your server in LISP or C++. I don't care. Neither does the iPhone.

Now there are legitimate concerns vis-a-vis the iPhone working when disconnected from the internet, or in low bandwidth situations. Will it be possible to (a) load a "website" onto your phone and run it as a local app (possibly with some local runtime support, such as Apacha/PHP/Perl or whatever?); (b) can you load a page or pages into your cache explicitly and always have access to them? These are perfectly legitimate questions for which I suspect there are good answers.

But whining about being forced to learn HTML/CSS/JavaScript or whatever is just dumb. If you can handle Objective-C, you're not going to have any problems building web applications.

WWDC 2007 Keynote

Well the leak was completely inaccurate (and yes, the real keynote had hard numbers in it).

The "and one more thing" item was Safari for Windows. Cute.

As per my previous post, the SDK for iPhone is a web server. Duh.

(Similarly, you can view Word documents in your iPhone via google documents, instant message via any one of a number of browser-based IM clients, etc. Isn't having a non-crippled browser fun?)

"This is going to make the EDGE limitation worse (Gizmodo)"

Yes it will, but get over it. EDGE will still be better than sharing a crappy wireless network in a hotel or airport*, and personally I'd take this as an opportunity to do some intelligent web coding that works well in the moderate bandwidth available via EDGE and thus have a competitive advantage over the idiots who, say, don't know how to produce small graphics or whatever.

* I've just spent the last two weeks on the road, and 1k bps would rock compared to what I've gotten in hotels, airports, and friends' home networks.

iWork '07 MIA

Expect to see this discussed closer to the release of Leopard or, possibly, in a separate keynote later in the week (remember, WWDC has mini keynotes on Tuesday and Wednesday).

"Apple to let outsiders create programs for iPhone" Reuters 1:32 PM

Well, I guess that's one way to put it. Apparently, Apple will allow you to build websites on the internet and then allow iPhone customers to visit them.

Putting Metal where it belongs

So the rumor sites are abuzz, of course, on this the most important day of the Apple calendar year (at least in terms of interesting announcements). Steve's WWDC keynote (apparently leaked here) has generally contained far more substantive information than all the other major announcements of the year, and this year is -- I can safely say -- going to be no exception.

One thing everyone can agree on is that the Metal interface (first seen in iTunes and QuickTime way back when), much derided by Mac users and much imitated elsewhere (just to prove that Microsoft is not alone in not getting it) is finally being taken to a room with plastic on the floor. Let's hope that everyone is right, unlike back when everyone was sure there'd be a new, improved Finder in 10.3, and then again in 10.4.

The German leak certainly looks very plausible, or it may simply be a very well done hoax (having a bunch of crap about new Apple Stores at the beginning is a nice touch, but one thing that's starkly missing is hard numbers -- Jobs loves to quote simple, big numbers such as 2.5 billion songs sold through iTunes or, say, 500,000 iPhones sold to Fortune 500 companies by AT&T before the launch or whatever). I guarantee a few choice numbers will be stated in the keynote and there are none in the leak (e.g. iMac Core 2 Duos sold). Still, the leak may be completely accurate, it's certainly extremely plausible, in which case someone is going to get fired.

So, assuming that the leak is true, iWork will be integrated with Google Documents via .mac, as will the iPhone. This is a no-brainer, since it leverages Safari (in the iPhone) to provide Word and Excel integration (which makes it more than competitive with the atrocious mini-Office-apps on "Smart" phones) and also makes iWork and .mac and Google documents suddenly a lot more compelling. The real question is whether this points to Apple becoming as intextricably tied to Google as it currently and foreseeably is to Microsoft. Perhaps neither of these is such a bad thing. Also, er, where do the ads fit in?

It's worth noting that, assuming Safari on the iPhone really works (which I think is safe to assume) Apple was getting all the functionality of Google documents for free anyway. BTW here's a clue for all the people -- I was going to say "retards" but there are some very bright people in the group -- screaming for an iPhone SDK: you have one, it's called a web server. Someone even pointed to a WWDC session about designing websites for the iPhone and interpreted this as "the iPhone's web browser doesn't really work properly". Duh, no. The iPhone isn't 1280x1024, so you need to design for that. Also, presumably, you'll be able to detect the iPhone, target it with CSS, and do a bunch of other things (like hint article flows) to optimize your site to work seamlessly on an iPhone. This is not the same as saying Safari can't browse real web pages.

The really bold item in the leak is iPhone@home since it hasn't been rumored anywhere (beyond stuff like MacBook Thin), is very specific, and makes a lot of sense. Here's the nutshell version -- why bother with a network carrier if you don't have to? In some cities, it will completely obviate the need for a phone at all... Assuming the leak is accurate.

Anyway, writing this has chewed up 15 minutes of the interminable wait for the keynote to begin.

My Wetware Problems with Apple Products

I have to admit this -- I've been to Apple's genius bar twice with problems (once with an iPod, and once with a MacBook Pro), and both times the problem was instantly solved by the same thing -- I had to reboot.

Dammit, why aren't Apple's products completely perfect? Aside from needing to be rebooted sometimes as often as twice a month for system patches, now, apparently, some mysterious problems (such as DVDs not playing) can be solved by rebooting.

Anyway, I thought it was interesting that rebooting has become a blind spot for me when trying to fix a problem on an Apple product. It's a shame that their products aren't quite ready for it.