Apple patches some Windows Safari bugs
It has released Safari 3.0.1, fixing three flaws in three days
Computerworld - Apple Inc. took just three days to update the beta of its Safari browser for Windows, releasing a new version that patches three vulnerabilities.
Safari 3.0.1 fixed three flaws -- a minority of the bugs found so far by researchers -- in the Windows beta. According to Apple, two of the trio don't affect the Safari 3.0 beta that runs on Mac OS X, but the third can crash the Mac browser.
All three are critical vulnerabilities, although Apple does not rank threats, as do other browser makers such as Microsoft Corp. and Mozilla Corp. Instead, Apple uses the phrasing "may lead to arbitrary code execution," which is equivalent to the "critical" bug category for Internet Explorer and Firefox.
"By enticing a user to visit a maliciously crafted Web page, an attacker can trigger the issue which may lead to arbitrary code execution," the Apple advisory said. "This update addresses the issue by performing additional processing and validation of URLs. This does not pose a security issue on Mac OS X systems, but could lead to an unexpected termination of the Safari browser."
In that message, Apple is referring to the bug dug up by researcher Thor Larholm in just two hours on Monday, Larholm confirmed today in a posting on his blog. "As far as I can tell right now, the vulnerability has indeed been fixed," said Larholm. "I want to congratulate Apple for fixing a serious security vulnerability in such a short time frame. Their usual response time can be counted in weeks to months."
Two other researchers, David Maynor and Aviv Raff, also posted claims about Safari vulnerabilities on Monday. In an e-mail today, Raff reported that the one bug he spotted has also been fixed. "I've tested the new version by running [the fuzzing tool] Hamachi again. Apparently, this version fixes the vulnerability."
Apple did not credit any researchers in its advisory. That grated on Raff. "I don't think this is a smart move," he said.
Neither Raff or Maynor filed their flaws with Apple's security team, citing what they see as the company's antagonistic attitude toward independent vulnerability researchers. Maynor has been adamant that he won't report vulnerabilities to Apple because of a blow-up last summer over a wireless hack he and another researcher demonstrated at the Black Hat security conference. Maynor was not available for comment today.
The Safari update can be downloaded and installed manually from the Apple site, or retrieved using Apple Update, a utility bundled with Apple's Windows software.
Read more about Security in Computerworld's Security Topic Center.
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!