toggle

AAPL Stock: 524.94 ( + 5.93 )

Printed from http://www.macnn.com

Safari Beta 3.0.2 beefs up security

updated 05:35 pm EDT, Fri June 22, 2007

Safari Beta 3.0.2

Apple today released Safari Beta 3.0.2, the latest revision of its Web browser for Mac and Windows systems that currently ranks as the third most used internet browsers on the market. The update appears as a separate, unique update released alongside Apple's Security Update 2007-006, which will not appear as an available update to Safari Beta 3.0.1 users. Apple's latest changes include fixes that prevent maliciously crafted websites from compromising the security of an affected Mac or Windows PC. [updated]

Safari-specific holes

In Safari Beta 3.0.1 for Windows, a timing issue allows a Web page to change the contents of the address bar without loading the contents of the corresponding page. The vulnerability could be used to spoof the contents of a legitimate site, allowing malicious users to gather credentials or other information. This update addresses the issue by restoring the address bar contents if a request for a new Web page is terminated, and the issue does not affect Mac OS X systems.

Safari's security model prevents JavaScript in remote Web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. The update addresses the issue by correcting access control to window properties. Apple offers credit to Lawrence Lai, Stan Switzer, Ed Rowe of Adobe Systems for reporting the issue.

WebCore/WebKit vulnerabilities

An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted Web page, an attacker could conduct cross-site scripting attacks. This update addresses the issue by performing additional validation of header parameters. Apple offers credit to Richard Moore of Westpoint for reporting the problem.

An invalid type conversion when rendering frame sets could lead to memory corruption, possibly resulting in an unexpected application termination or arbitrary code execution when users visit a maliciously crafted Web page. Apple gives credit to Rhys Kidd of Westnet for reporting the issue.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Booqpad for iPad Air

Before we get rolling, I'll confess: I've never understood the purpose of cases like the Booqpad. If you've got a tablet, surely p ...

Linksys EA6900 AC Router

As 802.11ac networking begins to makes its way into more and more devices, you may find yourself considering an upgrade for your home ...

D-Link DIR-510L 802.11AC travel router

Having Internet access in hotels and other similar locations used to be a miasma of connectivity issues. If Wi-Fi was available, it wa ...

toggle

Most Commented