Safari 3.1.1, Firefox 2.0.0.14 fix security flaws

Apple today released Safari 3.1.1, an update to its cross-platform browser, while The Mozilla Foundation released FireFox 2.0.0.14, an update to the open-source browser. Safari 3.1.1 is available for Mac OS X Leopard/Tiger as well as Windows systems; it includes improvements to stability, compatibility and security. Specifically, the update addresses the flaw that allowed Charlie Miller to win $10,000 in the Pwn2Own contest at CanSecWest as well as another security issue affecting latest builds of Tiger (10.4.11) and Leopard (10.5.2) and two security issues affecting Windows XP/Vista. A little over two weeks after the flaw was utilized to hack into Mac OS X, Apple says it fixed the security issue (CVE-2008-1026) where a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution due to a heap buffer overflow in WebKit's handling of JavaScript regular expressions. Apple's newly patched browser addresses the issue by performing additional validation of JavaScript regular expressions.

Apple also noted that the updates fixes an issue (CVE-2008-1025) where a malicious website may result in cross-site scripting: "An issue exists in WebKit's handling of URLs containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack," Apple wrote in its security update. "This update addresses the issue through improved handling of URLs."

On the Windows side, Apple patched CVE-2007-2398 and CVE-2008-1024. The former relates to a maliciously crafted website that can control the contents of the address bar, which was evidently patched in a public beta of v3.0, but then reintroduced in v3.1:

"A timing issue in Safari 3.1 allows a web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered," Apple noted. "This issue was addressed in Safari Beta 3.0.2, but reintroduced in Safari 3.1. This update addresses the issue by restoring the address bar contents if a request for a new web page is terminated. This issue does not affect Mac OS X systems."

The latter, the company notes, fixes an issue where a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution due to a memory corruption issue exists in Safari's file downloading.

"By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of file downloads. This issue does not affect Mac OS X systems," Apple noted.

The Mozilla Foundation noted that the latest FireFox 2.0.0.14 fixes a single "critical" issue that could cause a crash in JavaScript garbage collector (also affects Thunderbird and SeaMonkey); however, an exploit for the vulnerability has not been demonstrated.

"We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past," Mozilla's advisory stated. "Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail."

Filed under: security, software
Other story tags: Leopard, Windows, Safari, Firefox, mozilla