Apple patches some Windows Safari bugs
It has released Safari 3.0.1, fixing three flaws in three days
Computerworld - Apple Inc. took just three days to update the beta of its Safari browser for Windows, releasing a new version that patches three vulnerabilities.
Safari 3.0.1 fixed three flaws -- a minority of the bugs found so far by researchers -- in the Windows beta. According to Apple, two of the trio don't affect the Safari 3.0 beta that runs on Mac OS X, but the third can crash the Mac browser.
All three are critical vulnerabilities, although Apple does not rank threats, as do other browser makers such as Microsoft Corp. and Mozilla Corp. Instead, Apple uses the phrasing "may lead to arbitrary code execution," which is equivalent to the "critical" bug category for Internet Explorer and Firefox.
"By enticing a user to visit a maliciously crafted Web page, an attacker can trigger the issue which may lead to arbitrary code execution," the Apple advisory said. "This update addresses the issue by performing additional processing and validation of URLs. This does not pose a security issue on Mac OS X systems, but could lead to an unexpected termination of the Safari browser."
In that message, Apple is referring to the bug dug up by researcher Thor Larholm in just two hours on Monday, Larholm confirmed today in a posting on his blog. "As far as I can tell right now, the vulnerability has indeed been fixed," said Larholm. "I want to congratulate Apple for fixing a serious security vulnerability in such a short time frame. Their usual response time can be counted in weeks to months."
Two other researchers, David Maynor and Aviv Raff, also posted claims about Safari vulnerabilities on Monday. In an e-mail today, Raff reported that the one bug he spotted has also been fixed. "I've tested the new version by running [the fuzzing tool] Hamachi again. Apparently, this version fixes the vulnerability."
Apple did not credit any researchers in its advisory. That grated on Raff. "I don't think this is a smart move," he said.
Neither Raff or Maynor filed their flaws with Apple's security team, citing what they see as the company's antagonistic attitude toward independent vulnerability researchers. Maynor has been adamant that he won't report vulnerabilities to Apple because of a blow-up last summer over a wireless hack he and another researcher demonstrated at the Black Hat security conference. Maynor was not available for comment today.
The Safari update can be downloaded and installed manually from the Apple site, or retrieved using Apple Update, a utility bundled with Apple's Windows software.
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!