Apple patches some Windows Safari bugs
It has released Safari 3.0.1, fixing three flaws in three days
June 14, 2007 12:00 PM ETComputerworld - Apple Inc. took just three days to update the beta of its Safari browser for Windows, releasing a new version that patches three vulnerabilities.
Safari 3.0.1 fixed three flaws -- a minority of the bugs found so far by researchers -- in the Windows beta. According to Apple, two of the trio don't affect the Safari 3.0 beta that runs on Mac OS X, but the third can crash the Mac browser.
All three are critical vulnerabilities, although Apple does not rank threats, as do other browser makers such as Microsoft Corp. and Mozilla Corp. Instead, Apple uses the phrasing "may lead to arbitrary code execution," which is equivalent to the "critical" bug category for Internet Explorer and Firefox.
"By enticing a user to visit a maliciously crafted Web page, an attacker can trigger the issue which may lead to arbitrary code execution," the Apple advisory said. "This update addresses the issue by performing additional processing and validation of URLs. This does not pose a security issue on Mac OS X systems, but could lead to an unexpected termination of the Safari browser."
In that message, Apple is referring to the bug dug up by researcher Thor Larholm in just two hours on Monday, Larholm confirmed today in a posting on his blog. "As far as I can tell right now, the vulnerability has indeed been fixed," said Larholm. "I want to congratulate Apple for fixing a serious security vulnerability in such a short time frame. Their usual response time can be counted in weeks to months."
Two other researchers, David Maynor and Aviv Raff, also posted claims about Safari vulnerabilities on Monday. In an e-mail today, Raff reported that the one bug he spotted has also been fixed. "I've tested the new version by running [the fuzzing tool] Hamachi again. Apparently, this version fixes the vulnerability."
Apple did not credit any researchers in its advisory. That grated on Raff. "I don't think this is a smart move," he said.
Neither Raff or Maynor filed their flaws with Apple's security team, citing what they see as the company's antagonistic attitude toward independent vulnerability researchers. Maynor has been adamant that he won't report vulnerabilities to Apple because of a blow-up last summer over a wireless hack he and another researcher demonstrated at the Black Hat security conference. Maynor was not available for comment today.
The Safari update can be downloaded and installed manually from the Apple site, or retrieved using Apple Update, a utility bundled with Apple's Windows software.
Read more about security in Computerworld's Security Knowledge Center.
Apple
Additional Resources



White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

