Apple patches some Windows Safari bugs
It has released Safari 3.0.1, fixing three flaws in three days
Computerworld - Apple Inc. took just three days to update the beta of its Safari browser for Windows, releasing a new version that patches three vulnerabilities.
Safari 3.0.1 fixed three flaws -- a minority of the bugs found so far by researchers -- in the Windows beta. According to Apple, two of the trio don't affect the Safari 3.0 beta that runs on Mac OS X, but the third can crash the Mac browser.
All three are critical vulnerabilities, although Apple does not rank threats, as do other browser makers such as Microsoft Corp. and Mozilla Corp. Instead, Apple uses the phrasing "may lead to arbitrary code execution," which is equivalent to the "critical" bug category for Internet Explorer and Firefox.
"By enticing a user to visit a maliciously crafted Web page, an attacker can trigger the issue which may lead to arbitrary code execution," the Apple advisory said. "This update addresses the issue by performing additional processing and validation of URLs. This does not pose a security issue on Mac OS X systems, but could lead to an unexpected termination of the Safari browser."
In that message, Apple is referring to the bug dug up by researcher Thor Larholm in just two hours on Monday, Larholm confirmed today in a posting on his blog. "As far as I can tell right now, the vulnerability has indeed been fixed," said Larholm. "I want to congratulate Apple for fixing a serious security vulnerability in such a short time frame. Their usual response time can be counted in weeks to months."
Two other researchers, David Maynor and Aviv Raff, also posted claims about Safari vulnerabilities on Monday. In an e-mail today, Raff reported that the one bug he spotted has also been fixed. "I've tested the new version by running [the fuzzing tool] Hamachi again. Apparently, this version fixes the vulnerability."
Apple did not credit any researchers in its advisory. That grated on Raff. "I don't think this is a smart move," he said.
Neither Raff or Maynor filed their flaws with Apple's security team, citing what they see as the company's antagonistic attitude toward independent vulnerability researchers. Maynor has been adamant that he won't report vulnerabilities to Apple because of a blow-up last summer over a wireless hack he and another researcher demonstrated at the Black Hat security conference. Maynor was not available for comment today.
The Safari update can be downloaded and installed manually from the Apple site, or retrieved using Apple Update, a utility bundled with Apple's Windows software.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts