Software // Information Management
03:12 PM

Apple Security Update Patches Safari 3 Beta

The download fixes remote code execution bugs and other flaws in both its Safari Web browser beta and Mac OS X.

Apple on Monday released security updates for vulnerabilities in its Mac OS X, as well as its Safari for Windows beta, which has had early trouble with multiple bugs.

The update marks the second time in just more than a week that Apple has had to update its Safari 3 beta, which is designed for both the Mac and the Windows operating systems. Both patches in Security Update 2007-006 affect Safari. One patch fixes a remote code execution bug in WebKit, which is an open source Web browser engine. The second patch fixes a flaw that causes cross-site requests in WebCore, which is a framework for Mac OS X.

Apple noted in an online advisory that the WebKit bug is caused by an invalid type conversion when rendering frame sets. Apple reported that it could lead to memory corruption. "Visiting a maliciously crafted Web page may lead to an unexpected application termination or arbitrary code execution," according to the advisory.

Apple credits Rhys Kidd of Westnet for reporting the issue.

The WebCore flaw is an HTTP injection issue that exists in XMLHttpRequest when serializing headers into an HTTP request, according to Apple. By luring a user to visit a malicious Web page, an attacker could remotely execute cross-site scripting attacks. This patch is designed to fix the flaw by performing additional validation of header parameters.

Apple credits Richard Moore of Westpoint for reporting the bug.

This is the second security update Apple has issued to fix problems in its Safari beta. The first update patched three of the multiple vulnerabilities that researchers found in the beta immediately upon its release. Safari 3.0.1 Public Beta for Windows fixes two flaws that only affect the Windows version of Apple's browser, along with one vulnerability that affects Windows and also could crash the browser running on the Mac OS X operating system.

"I think it was obvious they had to do this to save the day since there were so many problems with the release," said Johannes Ullrich, chief research officer of the SANS Institute and chief technology officer for the Internet Storm Center, in a previous interview. "For a beta product like this, it's really in development, so it's for people to play with and test. And they really have."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Agile Archive
The Agile Archive
When it comes to managing data, don’t look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.