Paul Thurrott's SuperSite for Windows
Home > Type > News > Respected consumer advocacy group recommends against using Safari

Respected consumer advocacy group recommends against using Safari

Aug. 6, 2008 Paul Thurrott | Paul Thurrott's Supersite for Windows

And heck, that’s just common sense. I’ve recommended that all along, for Windows users. But what’s interesting about the Consumer Reports recommendation is that it’s aimed specifically at Mac users:

Mac users should scrap Apple's Safari and replace it with a browser that offers antiphishing protection, such as Mozilla's Firefox or Opera Software's Opera, Consumer Reports said today as it unveiled its annual Internet security survey.

Mac users are just as likely to fall for the fake sites as people running Windows, Fox said. "There is no significant difference" between the two groups -- Mac and Windows users -- regarding the likelihood of giving away information, he said. "Mac users are indistinguishable from Windows users here."

But users going online with Safari are leaving themselves at risk because the browser doesn't include tools to warn when a site is, or might be, dangerous. "The browser of choice for most Mac users, Apple's Safari, has no phishing protection," said Consumer Reports.

Until Apple adds antiphishing tools, the publication recommended that Mac users steer clear of Safari.

"The Mac [phishing statistics] were pretty interesting," said Fox, who named it as one of the current survey's biggest surprises. "Mac users think that they don't need to worry about viruses and spyware," he said. "But e-mail is the weak vector on the Mac."

Most phishing attacks begin when a user receives an e-mail message -- perhaps one posing as from his bank -- that includes a link to a malicious Web site.

"This is the one area where the Mac doesn't have an advantage in security," Fox continued. "Significantly fewer Mac users were using antiphishing technologies, but they were pretty much identical to Windows users about giving personal information.

"Windows users are used to being paranoid about not clicking," he said. "Mac users aren't, even though they say, 'Antivirus software, who needs it?'"

Fox also noted that users running Windows Vista reported significantly fewer instances of spyware or other malware infections than did people relying on Windows XP.

I do have a Consumer Reports subscription, but didn’t actually see this information in the cited report.

Thanks Jonathan.

Discuss this Article 77

Snakedoctor1
on Aug 6, 2008
Well I was waiting for the Nabisco browser review but this will do , no Safari for me!!! Maybe I should subscribe to consumer reports for Windows IT reviews? Man three Apple posts in a row. Funny my browser says Winsupersite????
shark47
on Aug 6, 2008
"Man three Apple posts in a row. Funny my browser says Winsupersite????" There you go again! I read this yesterday. Consumer Reports mentioned 7 myths about the internet, one of them being, "Macs keep me safe" or something of that sort.
shark47
on Aug 6, 2008
Oh.And Safari security is something that's very relevant to Windows user.
Dude1313
on Aug 6, 2008
Last time I checked Firefox runs on Macs...
shark47
on Aug 6, 2008
"Last time I checked Firefox runs on Macs..." Yes, and that's what Consumer Reports recommends on Macs. Nevertheless, these are interesting observations in lieu of the numerous discussions we had on the IT Pro site about Mac/PC security. Notice the last sentence: "Fox also noted that users running Windows Vista reported significantly fewer instances of spyware or other malware infections than did people relying on Windows XP." I think it's interesting. Ed Bott and Paul Thurrott have always touted Vista security but we've had widely quoted studies from shady sources which attempted to debunk claims of Vista being more secure. Oh, and finally, and slightly O/T, Ed Bott answers questions about the x64 version of Vista: http://blogs.zdnet.com/Bott/?p=511
johnpapola
on Aug 6, 2008
Paul, just rename your blog. The Apple coverage is extreme. You should be required to limit your coverage to 3.5% of posts as per your obsession with worldwide share.
yert
on Aug 6, 2008
Or 9% if we are using whatever math got us that number... I think at this point the Win in WinSuperSite stands for the Win, not Windows. When I named my blog I was vague with the name because I didn't want to be restricted to a single topic. Paul would do well to learn from me now. :D
MaryW
on Aug 6, 2008
@JohnPapola Oh come on John! Who would read this stuff otherwise? Just Mr Galos and the Pingbacks :)
tayme
on Aug 6, 2008
@jp - "You should be required to limit your coverage to 3.5% of posts as per your obsession with worldwide share." I realize that was a tongue in cheek remark, but this is the type response that Paul likes to satirize by using the iCabal term. Be real...Paul is allowed to discuss what he wants on HIS BLOG. Who do you suggest "requires" and polices limiting what type of coverage he posts? --tayme
johnpapola
on Aug 6, 2008
Here's the count on "the super site for windows" blog: 15 posts on page 1. 3 purely mac posts 1 Posts in theory about Windows but really just a Mac criticism 2 MobileMe posts 2 iPhone posts So 53.33% of the "Supersite for Windows" blog is about Apple products in some way. 26.67% Are directly about the mac, mac prices or mac marketshare. Paul can post what he wants... but don't tell mac users to "get lost! It's a windows site" with this content spread. And seriously, you're telling me you can't see the hypocrisy in Paul's obsession with 3.5% worldwide share yet devoting so much personal energy to blogging about Apple? Give me a break. Have a great day!
mikegalos@msn.com
on Aug 6, 2008
What IS interesting is that the discussion has so quickly been moved to be a metadiscussion about Paul's blog itself rather than Mac security or even Safari security.
tayme
on Aug 6, 2008
@jp - Compare that to the amount of time and money spent by Apple and Steve Jobs talking about Microsoft in keynotes and TV adverts. The only adverts that they actually talk about their own product are the iPhone ones. Oh, and I have not told anybody to "get lost"...Get a grip, John...I think your wife has a point about you and these blog sites. --tayme
shark47
on Aug 6, 2008
"Paul can post what he wants... but don't tell mac users to "get lost!" Like I said earlier on another thread. If Mac users want to read Paul's blog, it's up to them. But please stop complaining. I don't see anything wrong with this post. The article was published in a highly respected publication. It's hard for you to attack the credibility of the source, so what do you do instead? You shoot the messenger.
johnpapola
on Aug 6, 2008
@Tayme, You're right. Have a blast bashing Safari guys. I'm outta here.
Waethorn
on Aug 6, 2008
Heh. I wonder what Apple is going to do about Safari on the iPhone then. Maybe Jobs will release another email-turned-PR-campaign saying that it's not up to snuff....
shark47
on Aug 6, 2008
"Have a blast bashing Safari guys.. " Now you're just being childish. Somehow I get the feeling that you cannot bear the thought of people saying something negative about Apple's products. If you have a problem with someone, it should be with the person who wrote the article in Consumer Reports.
weedmonk
on Aug 6, 2008
Paypal and now a publication? Hold on....let me go to the Safari website. "The Worlds Best Browser" Yup, it still says it. ROIFLMAO.
Waethorn
on Aug 6, 2008
....Opera Mobile makes the Touch Diamond look more and more like a better smartphone.... ;)
weedmonk
on Aug 6, 2008
@Tristan or anyone else " Apple is MS's biggest competitor," Is that true? Given MSFT's global footprint and dominating marketshare I would think Oracle or Sun would fit that bill. Not to mention Google and FOSS.
Waethorn
on Aug 6, 2008
Has Apple completely retracted the iPhone SDK 1.0 (ie. Webkit Webapps Edition) yet? Sorry, but this is just too funny! The iPhone 3G, MobileMe, Safari, and Apple's entire cloud-computing vision of "having the internet in your pocket" will be remembered as the Newton 2.0 - Apple's not-so-graceful second descent. (That's a pun, if you didn't get it already)
mikegalos@msn.com
on Aug 6, 2008
Weedmonk I suspect they meant this as a shorthand for, "Apple is Microsoft's biggest competitor in desktop consumer operating systems" and not overall. (And that's ignoring that Microsoft's biggest competitor in that field is older copies of Windows and bootleg copies of Windows both of which vastly overshadow Apple's share)
johnpapola
on Aug 6, 2008
Just for the record... this safari complaint is obviously legit and safari on the iPhone has inherent phishing danger with it's small URL bar. Apple needs to get it's act together and work to be at least as good as Microsoft now is on security. They need to use every tool in the book to keep the platform as safe an attack-free as it's been. The false sense of security in the non-techie mac community is a dangerous and untenable situation. Phishing attacks are an especially dangerous bit of social engineering. Just for the record ;) God bless.
mikegalos@msn.com
on Aug 6, 2008
tristanh You're making the mistake of thinking of Microsoft as a company that thinks of corporate competitors which doesn't work when the competitor for one product is a highly valued partner for another. For the most part, each product unit thinks about their own competitors. For example, the SQL Server team thinks a lot about Oracle but if you asked them about Apple they'd probably go, "Who? Oh, yeah, the iPod guys." On the other hand, the Zune team probably thinks about Apple all the time but couldn't tell you what version of Oracle is on the market.
Mum
on Aug 6, 2008
"What IS interesting is that the discussion has so quickly been moved to be a metadiscussion about Paul's blog itself rather than Mac security or even Safari security" Isn't it? Surely the iCabal would be posting like mad, denying any possible security problems with Safari?
mikegalos@msn.com
on Aug 6, 2008
John, Nice post. Apple has gotten sloppy about security (details of which are probably beyond the scope of this board) but I'd add that the Mac community need to start informing themselves about security. I stll see them acting as though the lack of viruses on Macs is somehow due to an inherently secure OS that's immune to attack and will be forever. What they think the security patches are fixing is a mystery. I have found that the best way to get shouted down in any Mac user forum is to question that almost religious belief that since Macs haven't been targeted for viruses therefore OS X is somehow mystically secure. There's an attitude of willful ignorance in not thinking about security that's, frankly, a ticking bomb. I suspect the first time the bad guys (and these are not 17 year olds in their parents basements anymore but serious organized crime groups) decide to target OS X, they'll get 90%+ infection and the shock to the zeitgeist of the Mac community will be horrible. (In short, since you spend time with Mac people, please try to get them to start waking up)
Waethorn
on Aug 6, 2008
Shall we be looking forward to an MoSB?
Snakedoctor1
on Aug 6, 2008
"The article was published in a highly respected publication." yep if your reviewing blenders or the reliability of a Honda Civic. I like consumer reports but its the last place I would look for an IT related review. I agree that Safari does not have anti-phising built into it but neither IE until version 7. Apple needs to step up and add that. Until OS X is exploited as in real attacks the sense of security is real. There might holes in the OS, but all have them. Apple might be slower to fix them which is not good, but the fact remains their are not many if ANY recorded exploits (as in successful attacks). On the other hand Windows is hacked daily. Now vast majority of those hacked windows boxes are consumers, plugged right into a broadband modem, with no updates or protection, and Windows is a big fat target with its market share.
mikegalos@msn.com
on Aug 6, 2008
tristanh I wasn't saying they're irrelevant. But that's a long, long way from Microsoft's Biggest Competitor.
DRWAM
on Aug 6, 2008
Still, the bad guys won't find the Mac worth hacking as the payoff is considerably lower due to market share. I prefer FF on the Mac, but still prefer IE on Windows. Unfortunately, the PACS workstations MUST use IE 6 and it crashes numerous times all day. wish we could upgrade to IE 7 or at least have FF. I am going to see if IT will allow FF installed as IE 7 has a compatibility problem with the PACS suite, but FF does not. I would bet that GE won't allow it, but you won't get it if you don't ask.
mikegalos@msn.com
on Aug 6, 2008
OK, we've moved into the dangerous "Macs are immune" meme. Let me say this as clearly as I can. The choice of hardware or operating system has NO (as in zero, null, none, naught) relevance to phishing attacks. Windows Vista, Windows XP, Mac OS X, Linux, Unix, Windows Mobile, iPhone, iPod Touch, some browser you wrote yourself to run on a Commodore Amiga, it doesn't matter. If you go to a phishing website and either use a browser without a phishing filter or ignore the warning you are vulnerable. It is a social attack and, like any con game, is based on human factors and not the computer.
DRWAM
on Aug 6, 2008
How does IE 7 compare to FF 3 in the anti-phishing realm?
DRWAM
on Aug 6, 2008
How does IE 7 compare to FF 3 in the anti-phishing realm?
Snakedoctor1
on Aug 6, 2008
Mike, I could not agree more, and that is why this review is pointless IMHO. Days of Virus attacks are gone. Lets be honest there are no more slammers anymore. Everyone, corporations, ISP's, home users have wrapped themselves in layer upon layer of protections, and the symantecs of the world could not be happier. Enough hot shot kiddie hackers in Germany have been sent to PRISON, with the help of MS and others that that kind of activity is all but gone. Today its flat out hacking for profit. Social hacking mostly, to get at your identity info to use it. Or a combination of social/PC hacking as in your get an email that looks legit and you click on a link on a XP box running as a Admin account and it downloads whatever it wants to your PC and your done. Your PC runs fine, but either they have ripped your info or your PC is being used as a zombie to do their bidding and you dont know it. IE and FF have phising protection but its pretty much worthless for joe user that clicks right through it. It does nothing for email that you open and set off something. So like I said, consumer reports, while their heart is in the right place is the last place people need to get IT advice from. Now if you want a new Washer and Dryer.....then by all means get a copy of consumer reports.
mikegalos@msn.com
on Aug 6, 2008
DRWAM If you think the Windows/Mac religion wars are bad, comparing browsers is even worse. From what I know... IE 7 was better than FF2 which was criticized for a weak anti-phishing filter. FF3 has improved over FF2 but I don't know whether it has caught up with or surpassed IE7. IE8 improves the anti-Phishing tech that was in IE7 but the current tech preview is not ready for general use and is there so developers can start getting their sites ready. The real beta of IE8 is expected out fairly soon but, again, will be a beta and not for production use.
Snakedoctor1
on Aug 6, 2008
Let me add to my last post, its not just XP. It could happen on a OS X, if its a info only gathering attack that you went to a site via an email you got. Its not even your computer at all, its what you do when you type in a bank account password or whatever. Now for those sites that download crap to your computer after you go to them like a fool, then OS X today is not a target as far as most people know. XP is, Vista is way better with UAC at stopping the junk that comes down.
mikegalos@msn.com
on Aug 6, 2008
Snake It is not only naieve, it's dangerously naieve to think that the days of viruses are over. We've moved from attacks being something done by amateurs to gain some street cred and moved to attacks coming from organized crime and national intellegence agencies. Zero-day attacks are more common not less. Yes, we're seeing less success from script kiddies running downloaded botkits but we're seeing more attacks that are very sophisticated.
DRWAM
on Aug 6, 2008
Thanks Mike. Even my two 7 yr olds know that IE is for Internet Explorer, and that's what they use to play in Webkinz world and Nick.com, but I probably should not have mentioned that "W" word as we may get tons of pings again. I guess this will test it, and I may get banned! PS, our favorite English roses are Golden Celebration and favorite orange roses are Livin' Easy and Remember Me. They all grow well and Livin Easy reblooms a lot and is very shade tolerant. Golden celebration grows really fast and tall. David Austin really knows what he's doing.
Waethorn
on Aug 6, 2008
"FF3 has improved over FF2 but I don't know whether it has caught up with or surpassed IE7." In XP - yes. In Vista - no. It has nothing to do with the phishing filter though. @snake: It's not just about social engineering or viruses. Corporate security companies pan OS X's security for the workplace once the investigators pass through the superfluous fog of "impenetration" that Apple creates in their marketing for the OS. The source code is open, so as a buddy of mine that works for a major enterprise IT security firm likes to say: "it's like giving the hijackers the blueprints for the WTC with a big arrow that says "CRASH HERE"." Harsh, but so very true.
mikegalos@msn.com
on Aug 6, 2008
Snake You said "... Safari does not have anti-phising built into it but neither IE until version 7." To put this in perspective. 2004 - Phishing becomes a significant problem 2005 - Safari 2 released - no anti-phishing tech 2006 - Firefox 2 release - Google anti-phishing plug-in optional 2006 - IE7 released with native anti-phishing filter. 2007 - Firefox adds native anti-phishing filter 2007 - Safari 3 released - no anti-phishing tech 2008 - Firefox 3 release - improved anti-phishing filter
mikegalos@msn.com
on Aug 6, 2008
OT - News (but there's no on-topic place for it so I'm putting it in the newest thread) SQL Server 2008 released today. SQL Server 2008 Express and SQL Server Compact editions are available for free download today at http://www.microsoft.com/sqlserver. We now return you to phishing.
mikegalos@msn.com
on Aug 6, 2008
tristanh A great example of one group's competitor being another group's partner in this industry is one where Microsoft played both roles with different groups at IBM. The new top performance on the Transaction Processing Council's TPC-E benchmark was with Microsoft SQL Server 2008 running on a 16 processor IBM x3950 server. IBM hardware did the benchmark which showed off their server hardware despite another group at IBM making the DB2 database engine. So IBM's hardware group considers SQL Server a partner while IBM's database software group considers SQL Server a big competitor.
Waethorn
on Aug 6, 2008
@mike: I don't see anything to do with SQL 2008 besides RC0....and SQL Compact is embedded in applications, so installing it separately is kind of dumb.
shark47
on Aug 6, 2008
I have seen a huge increase in the number of "Nigerian scam" and phishing emails that I receive lately. Hotmail does a pretty good job of delivering all such emails to my junk mail folder. It does have a few false positives, though. On the other hand, Yahoo!, irrespective of the spam settings is extremely weak when it comes to this. I've clicked on a couple of such sites for the heck of it and neither FF3 nor IE7 warned me. I guess the people who carry out these phishing attacks are getting smarter too.
mikegalos@msn.com
on Aug 6, 2008
Waethorn, I suspect the dowloads may take a while to migrate to the production servers but that's the link that Microsoft gave. (probably why they said "today" rather than "now") As for Compact, it is typically embedded in apps which is why developers download and install it separately. It's not really a consumer download but not everybody here is just a consumer, there are some devs.
mikegalos@msn.com
on Aug 6, 2008
shark Yes, the bad guys get better and now that they're pros rather than amateurs, getting better all the time is a part of their professional skills. It's why there are updates to the anti-malware local engines and why the online databases that power the phishing filters are pretty constantly updated. Even so, both sides are constantly playing catch-up.
Snakedoctor1
on Aug 6, 2008
"It is not only naieve, it's dangerously naieve to think that the days of viruses are over." Over in the sense of we are over protected to the point, like you said they have moved onto different ways of attacking. The big attacks that took down MS customers, many corporate in nature during the early 2000 years where what is considered a true virus sent in a email, via payload. That kind of attack is nil today because lots of attention was focused on that kind of attack, so much so that today its basically a non-issue since most people are well protected. Today they lure you in, you actually pull the trigger you self, unknowingly.
shark47
on Aug 6, 2008
"It's why there are updates to the anti-malware local engines and why the online databases that power the phishing filters are pretty constantly updated." Maybe the easiest way is to flag all "Created on a Mac" sites as phishing sites. Just kidding, John! Really.
mikegalos@msn.com
on Aug 6, 2008
Snake Ah, that's clearer. Still, there are a LOT of attacks that still don't require user participation especially on any system where the user runs with an Admin or root level account (like an iPhone or Windows XP or a user given bad advice from a well-meaning but ignorant friend...) Remember that it doesn't take user intervention to exploit a hole in the OS and every OS has some holes. The key is how fast the vendor gets them fixed and how well the users keep up with their updates. The recent ISP router issues show just how sophisticated some of the attacks are getting.
whiplash55
on Aug 6, 2008
I don't think Consumer Reports is a useful source unless I'm looking at automobile repair frequency. They once recommended single payer health care, an opinion my friend from BC laughed at considering it took him 3 freaking years to get his knee scoped (I waited a week). Consumers Union is usually full of it, but they may be right about Safari and BMW's.
mikegalos@msn.com
on Aug 6, 2008
Whether Consumer Reports is a good, bad or mediocre source really doesn't matter on this issue. There's nothing controversial about their statement. There's no case of "well, they cared about different things than I do" which is the usual objection to their reviews. Running a browser without a phishing filter is a BAD IDEA. Period. Any source out there (except possibly Apple, Inc.) will agree with that.

Please or Register to post comments.

Related Articles

IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• 120 Technical
Sessions
• Networking with Peers
• Expert Speakers


Come See Paul Thurrott & Mary Jo Foley in Person!

Register Now

Office 365 InfoCenter

Get the latest insight and info from Paul

Read Now!

What I Use
Apr. 18, 2013
Article

What I Use: On the Road 21

Every so often, I publish an updated version of my “What I Use” document, which details the technology products and services I actually use day-to-day. Since I’m currently on my third business trip in five weeks, this is perhaps an ideal time to discuss the technology products I rely on when I travel and a few related points....More
Mar. 6, 2013
Article

What I Use: March 2013 35

Lots of changes since November, including a new PC-based home server running Windows 8, several new smart phones, new PCs and tablets, new cloud backup, Office 365 Home Premium and a nice doubling of my Internet speeds courtesy of Verizon FIOS....More
WinSuperSite.com
Related Penton Sites
Copyright © 2013 Penton Media, Inc