updated 05:35 pm EDT, Fri June 22, 2007
Safari Beta 3.0.2
Apple today released Safari Beta 3.0.2, the latest revision of its Web browser for Mac and Windows systems that currently ranks as the third most used internet browsers on the market. The update appears as a separate, unique update released alongside Apple's Security Update 2007-006, which will not appear as an available update to Safari Beta 3.0.1 users. Apple's latest changes include fixes that prevent maliciously crafted websites from compromising the security of an affected Mac or Windows PC. [updated]
In Safari Beta 3.0.1 for Windows, a timing issue allows a Web page to change the contents of the address bar without loading the contents of the corresponding page. The vulnerability could be used to spoof the contents of a legitimate site, allowing malicious users to gather credentials or other information. This update addresses the issue by restoring the address bar contents if a request for a new Web page is terminated, and the issue does not affect Mac OS X systems.
An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted Web page, an attacker could conduct cross-site scripting attacks. This update addresses the issue by performing additional validation of header parameters. Apple offers credit to Richard Moore of Westpoint for reporting the problem.
An invalid type conversion when rendering frame sets could lead to memory corruption, possibly resulting in an unexpected application termination or arbitrary code execution when users visit a maliciously crafted Web page. Apple gives credit to Rhys Kidd of Westnet for reporting the issue.