Apple Inc. has changed its software update tool for Windows users

Apple makes minor concession on pushing Safari to Windows users
Separates updates and new offers, but Mozilla wants more.
Apple Inc. has changed its software update tool for Windows users so that it separates updates for already-installed programs from offers to install new software.

Last month, John Lilly, Mozilla Corp.'s CEO, took Apple to task for using the update tool, familiar to Windows users as the mechanism for updating iTunes, to push the Safari browser to people who had not previously installed the program. Lilly said the practice "undermines the Internet" and "borders on malware distribution practices."

Lilly's comments, which appeared in a blog post, raised a furor, with Apple defenders calling his criticisms, among other things, a "mountain out of a molehill" and a "load of crap."

Apple has updated the Windows utility, dubbed "Software Update," to version 2.1. That version features a split-pane displays that lists "Updates" atop and "New Software" below. On Windows XP and Vista machines sans Safari, for instance, the Apple browser appears in the New Software section, with its selection box pre-checked.

Mozilla noticed the change.

Asa Dotzler, Mozilla's director of community development, said the move was "an important, though not sufficient, improvement" and called on Apple to go a step further. "Now Apple needs [to] stop checking the box for 'New Software' items by default," he said in a post to his blog.

In his March reproach of Apple, Lilly had also brought up the checked-by-default box; today he echoed Dotzler. "Good change! A bit more to do..." he wrote on his blog.

It's unclear when Apple first started offering Software Update 2.1; there was no mention of it on Apple's Web site, for example. On Windows Vista, however, the installed tool carries a date stamp of April 11.

"In this latest release we have made it easier for customers to identify between software updates and new applications," said Apple spokesman Anuj Nayar. He declined to comment on whether Apple made the change in response to last month's criticisms, or if it would consider Mozilla's request to deselect the Safari install box.

Apple updated, Safari to 3.1.1 yesterday fixing four flaws in the Windows version and two in the Mac edition. One of the two bugs on the Mac side had been used in a hacker contest last month by a researcher who took home a $10,000 check and the MacBook Air notebook he hacked.

more...
Apple and Mozilla are busy this week deploying security patches for their browsers, Safari and Firefox. The security holes could have left users open to malware installation and cross-site scripting attacks, according to advisories posted by Apple and Mozilla.
On Wednesday, Mozilla issued a security advisory on the company Website alerting users that a security bug involving its Javascript Garbage Collector function by which specially-crafted Javascript code could cause memory corruption.

The company also warned that because Thunderbird, an email application, shares the browser engine with Firefox, that program could be vulnerable if JavaScript were to be enabled in mail. Mozilla warned users against running JavaScript in mail.

"This is being fixed primarily to address stability concerns," the advisory read. "We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past."

On the Apple side, the patch fixes two flaws in the Mac version of Safari and four flaws in the Windows version. For Windows systems running Safari, the patches fix vulnerabilities that hackers could exploit by remotely installing malware on the user's system.

Another patch involved a flaw in Safari's open source WebKit framework (which also powers some elements of Apple Mail and Dashboard applications) that could allow attackers the opportunity to write a cross-site scripting attack. This security hole also affects Safari's Mac users, where a maliciously crafted Web page may lead to an unexpected application termination or arbitrary code execution, according to Apple's advisory.

The WebKit patch, amongst other security issues, was a vulnerability discovered by security researcher Charlie Miller, who hacked a MacBook Air by exploiting an unknown vulnerability in Safari as part of the Hack-a-Mac contest at the CanSecWest security conference in Vancouver in March.