Software // Information Management
03:12 PM

Apple Security Update Patches Safari 3 Beta

The download fixes remote code execution bugs and other flaws in both its Safari Web browser beta and Mac OS X.

Apple on Monday released security updates for vulnerabilities in its Mac OS X, as well as its Safari for Windows beta, which has had early trouble with multiple bugs.

The update marks the second time in just more than a week that Apple has had to update its Safari 3 beta, which is designed for both the Mac and the Windows operating systems. Both patches in Security Update 2007-006 affect Safari. One patch fixes a remote code execution bug in WebKit, which is an open source Web browser engine. The second patch fixes a flaw that causes cross-site requests in WebCore, which is a framework for Mac OS X.

Apple noted in an online advisory that the WebKit bug is caused by an invalid type conversion when rendering frame sets. Apple reported that it could lead to memory corruption. "Visiting a maliciously crafted Web page may lead to an unexpected application termination or arbitrary code execution," according to the advisory.

Apple credits Rhys Kidd of Westnet for reporting the issue.

The WebCore flaw is an HTTP injection issue that exists in XMLHttpRequest when serializing headers into an HTTP request, according to Apple. By luring a user to visit a malicious Web page, an attacker could remotely execute cross-site scripting attacks. This patch is designed to fix the flaw by performing additional validation of header parameters.

Apple credits Richard Moore of Westpoint for reporting the bug.

This is the second security update Apple has issued to fix problems in its Safari beta. The first update patched three of the multiple vulnerabilities that researchers found in the beta immediately upon its release. Safari 3.0.1 Public Beta for Windows fixes two flaws that only affect the Windows version of Apple's browser, along with one vulnerability that affects Windows and also could crash the browser running on the Mac OS X operating system.

"I think it was obvious they had to do this to save the day since there were so many problems with the release," said Johannes Ullrich, chief research officer of the SANS Institute and chief technology officer for the Internet Storm Center, in a previous interview. "For a beta product like this, it's really in development, so it's for people to play with and test. And they really have."

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
How to Knock Down Barriers to Effective Risk Management
Risk management today is a hodgepodge of systems, siloed approaches, and poor data collection practices. That isn't how it should be.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.