Apple patches Safari beta browser a second time
It also released a Mac-only security update for older versions of the browser
Computerworld - Apple Inc. today issued security updates to patch four vulnerabilities in Mac OS X and the Safari beta, marking the second time in eight days that the company has had to fix its newest browser, which runs on both Mac and Windows XP and Vista machines.
The 2007-006 update for Mac OS X 10.3, "Panther" and 10.4 "Tiger," fixes a pair of problems in Safari -- the production-quality versions bundled with the operating system -- including a memory corruption vulnerability that could end with an attacker in control of the Mac. "Visiting a maliciously crafted Web page may lead to an unexpected application termination or arbitrary code execution," Apple said in its alert.
The second bug, and to Apple, the less serious of the two, is a cross-site scripting flaw (XSS) in Safari that could be used by phishing sites to steal usernames and passwords.
Apple today also updated the Safari beta, first released June 11, to version 3.0.2 for both Mac and Windows. Mac Safari 3.0.2 patches another XSS bug, while the Windows edition fixes that, plus a separate vulnerability that could let an attacker disguise the browser's address bar, perhaps as part of a spoofed site meant to trick users into divulging confidential information, such as bank account passwords.
For Mac users, 2007-006 and the Safari update are mutually exclusive. If a Mac user has installed Safari Beta 3, only the Safari update will be offered; users who haven't bothered to try out the beta will see only the standard Mac OS X update. Windows users can update Safari to 3.0.2 by downloading the new version from Apple's site, or by running the optional Apple Software Update utility.
The just-patched Safari bugs were credited to a team at Adobe Systems Inc., as well as to researchers at Westnet, an Australian Internet service provider, and Westpoint Ltd., a U.K.-based security company. None were accredited to Dave Maynor, one of several researchers who dug up vulnerabilities within a few hours of Safari 3.0's launch last week. Maynor, who said he had found half-a-dozen bugs straight away, refuses to disclose his findings to Apple, part of a year-long feud that goes back to a wireless hack demo Maynor and another researcher gave at last August's Black Hat security conference.
"Due to the cries of 'it doesn't count, it's beta,' we are waiting to release any further information till the browser is released in a final state," Maynor said in an e-mail earlier this week.
Read more about Security in Computerworld's Security Topic Center.
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Getting Started With a Zero Trust Approach to Network Security The Traditional Approach to Network Security is Failing. View Now>>
- What are the desktop virtualization market trends and how can you successfully deploy your solution? You've probably heard about desktop virtualization -- and some of its benefits -- things like tighter security, streamlined management and lower costs. But...
- The Value of Symantec NetBackup Appliances In this video, Symantec's Shelley Schmokel, Principal Product Manager for NetBackup Appliances, talks about the NetBackup Integrated Appliances and how they deliver enterprise-class... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!