About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search
Home » Industry Watch » Coldspots

The Strange Case of Safari 4.0.5

Funky things going on with Apple's latest web browser update.

Get It

Try It

CUPERTINO (Rixstep) — Apple did more than take care of potentially embarrassing bugs in Safari in anticipation of CanSecWest. They changed underlying technologies as well. And not all for the better.

There's also the question of why Apple hide the previous version with all associated components in zip archives on user hard drives and how they achieve root access without user authentication.

RAM Glutton

Suddenly Safari's become a memory glutton. People using Google Wave have noticed very strange behaviour. Sign in at wave.google.com with Safari 4.0.5 and keep an eye on memory usage with Activity Monitor.

Some systems break the gigabyte ceiling for VM and at least half that in real memory.

Firefox 3.6 at the same site with the same login: a completely different behavioural pattern.

Firefox 3.6 is only a 32-bit application but Wave users claim Safari's memory usage was not alarming with previous versions. And the Google Chrome browser (version 5.0.307.11) uses even less memory than Firefox 3.6.

Safari 4.0.5 makes swap go crazy too - rebooting can be the only way to get the system running smoothly again.

6 items, 2147483648 bytes, 4194304 blocks, 0 bytes in extended attributes.


/Library/Updates has a curious property list file with the following data after the automatic 4.0.5 update begins.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">

Yet several modules - the WebKit being not the least - require root privileges to update. And whilst the 4.0.5 update requires user authentication on Leopard 10.5, on Snow Leopard 10.6 it does not. Meaning there's another 'Opener hole' somewhere on the system - after all these years. (And Safari 4.0.5 isn't the first time it's been used.)

There are several further indications in the 4.0.5 install package that root access is not only required but expected.


# We're running as root, so we do su $user -c $DISPLAYALERT
# to run with the localization preferences of the user that
# invoked the installation in the first place.


system('/usr/sbin/chown', 'root:admin', $BACKUP_FILE_LIST);
system('/bin/chmod', '0664', $BACKUP_FILE_LIST);

# create target folder if needed
if (! -e "${BACKUP_FOLDER}") {
    print "Creating backup folder\n";
    system('/bin/mkdir', '-p', $BACKUP_FOLDER);
    system('/usr/sbin/chown', 'root:admin', $BACKUP_FOLDER);
    system('/bin/chmod', '0775', $BACKUP_FOLDER);

# move archive to target folder
if (-e "${TEMP_FILE}.gz" && -e "$BACKUP_FOLDER") {
    print "Moving archive to backup folder\n";
    system('/bin/mv', "${TEMP_FILE}.gz", $BACKUP_FILE);
    system('/usr/sbin/chown', 'root:admin', $BACKUP_FILE);
    system('/bin/chmod', '0664', ${BACKUP_FILE});
} else {
    print "Failed to create archive: ${BACKUP_FILE}\n";

# place Leopard cookie
if (-e "$BACKUP_FOLDER") {
    print "Touching $BACKUP_OS_COOKIE\n";
    system('/usr/bin/touch', $BACKUP_OS_COOKIE);
} else {
    print "Failed to create cookie file\n";

disableReportCrash. (Root access is needed to run this command.)


if [ "$3" == "/" ]; then
    echo "Disabling ReportCrash"
    launchctl unload "/System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist"

exit 0

updateDyldSharedCache. (Root access is needed to run this command.)


"$3"/usr/bin/update_dyld_shared_cache -root "$3"


Finally there's the matter of the hidden archive of the previous version of Safari at /Library/Application Support/Apple.

3 items, 21737541 bytes, 42464 blocks, 0 bytes in extended attributes.

/Library/Application Support/Apple/.Safari_Leopard
/Library/Application Support/Apple/.SafariArchive.tar.gz
/Library/Application Support/Apple/.SafariPath

See Also
Developers Workshop: 061-7784

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search
Copyright © Rixstep. All rights reserved.