toggle

AAPL Stock: 101.63 ( -0.03 )

Printed from http://www.macnn.com

Safari Beta 3.0.2 beefs up security

updated 05:35 pm EDT, Fri June 22, 2007

Safari Beta 3.0.2

Apple today released Safari Beta 3.0.2, the latest revision of its Web browser for Mac and Windows systems that currently ranks as the third most used internet browsers on the market. The update appears as a separate, unique update released alongside Apple's Security Update 2007-006, which will not appear as an available update to Safari Beta 3.0.1 users. Apple's latest changes include fixes that prevent maliciously crafted websites from compromising the security of an affected Mac or Windows PC. [updated]

Safari-specific holes

In Safari Beta 3.0.1 for Windows, a timing issue allows a Web page to change the contents of the address bar without loading the contents of the corresponding page. The vulnerability could be used to spoof the contents of a legitimate site, allowing malicious users to gather credentials or other information. This update addresses the issue by restoring the address bar contents if a request for a new Web page is terminated, and the issue does not affect Mac OS X systems.

Safari's security model prevents JavaScript in remote Web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. The update addresses the issue by correcting access control to window properties. Apple offers credit to Lawrence Lai, Stan Switzer, Ed Rowe of Adobe Systems for reporting the issue.

WebCore/WebKit vulnerabilities

An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted Web page, an attacker could conduct cross-site scripting attacks. This update addresses the issue by performing additional validation of header parameters. Apple offers credit to Richard Moore of Westpoint for reporting the problem.

An invalid type conversion when rendering frame sets could lead to memory corruption, possibly resulting in an unexpected application termination or arbitrary code execution when users visit a maliciously crafted Web page. Apple gives credit to Rhys Kidd of Westnet for reporting the issue.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Autodesk Smoke 2015

Since May of this year, Autodesk has been shipping the highly anticipated update to its high-end post-production video editing suite, ...

Crucial MX100 256GB SATA-3 SSD

While the price to gigabyte ratio for magnetic platter-based hard drives can't be beat, the speed that a SSD brings to the table for ...

Narrative Clip

With the advent of social media technology, people have been searching for new ways to share the events of their daily lives -- be it ...

toggle

Most Commented