Apple patches Safari beta browser a second time
It also released a Mac-only security update for older versions of the browser
Computerworld - Apple Inc. today issued security updates to patch four vulnerabilities in Mac OS X and the Safari beta, marking the second time in eight days that the company has had to fix its newest browser, which runs on both Mac and Windows XP and Vista machines.
The 2007-006 update for Mac OS X 10.3, "Panther" and 10.4 "Tiger," fixes a pair of problems in Safari -- the production-quality versions bundled with the operating system -- including a memory corruption vulnerability that could end with an attacker in control of the Mac. "Visiting a maliciously crafted Web page may lead to an unexpected application termination or arbitrary code execution," Apple said in its alert.
The second bug, and to Apple, the less serious of the two, is a cross-site scripting flaw (XSS) in Safari that could be used by phishing sites to steal usernames and passwords.
Apple today also updated the Safari beta, first released June 11, to version 3.0.2 for both Mac and Windows. Mac Safari 3.0.2 patches another XSS bug, while the Windows edition fixes that, plus a separate vulnerability that could let an attacker disguise the browser's address bar, perhaps as part of a spoofed site meant to trick users into divulging confidential information, such as bank account passwords.
For Mac users, 2007-006 and the Safari update are mutually exclusive. If a Mac user has installed Safari Beta 3, only the Safari update will be offered; users who haven't bothered to try out the beta will see only the standard Mac OS X update. Windows users can update Safari to 3.0.2 by downloading the new version from Apple's site, or by running the optional Apple Software Update utility.
The just-patched Safari bugs were credited to a team at Adobe Systems Inc., as well as to researchers at Westnet, an Australian Internet service provider, and Westpoint Ltd., a U.K.-based security company. None were accredited to Dave Maynor, one of several researchers who dug up vulnerabilities within a few hours of Safari 3.0's launch last week. Maynor, who said he had found half-a-dozen bugs straight away, refuses to disclose his findings to Apple, part of a year-long feud that goes back to a wireless hack demo Maynor and another researcher gave at last August's Black Hat security conference.
"Due to the cries of 'it doesn't count, it's beta,' we are waiting to release any further information till the browser is released in a final state," Maynor said in an e-mail earlier this week.
Read more about Security in Computerworld's Security Topic Center.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!