Not only did it take less than a week (as it did with the beta release) to find critical vulns in Safar 3.1 for Windows – but they managed to violate their own EULA by distributing it to approximately 500m Windows users in the first place!
I’m not sure how they could have screwed this up more . . . and they seem to still be getting really *easy* stuff wrong . . . I mean this is a file name length bug? Seriously? The stuff we’re getting in IE these days is all hosted AX control bugs or wierd DOM abuse / timing issues that lead to double free type vulns and wierd / obscure / hard stuff like that – and Apple is still having problems with string length calculations in 2008? W o w.
This will probably be the only way the Vista box falls in pwn2own – should someone ask the organizers to install Safari on the box on day 3! 🙂 B.t.w. – I had a chat with ZDI and asked if code execution in protected mode IE was sufficient to win since it runs at low IL by default and they indicated they would probably say ‘no – you’d have to bust out of PMIE and elevate to medium IL for it to be considered worthy. I hope they stick to that plan as it raises the bar a bit. 🙂