Apple patches Safari beta browser a second time

Computerworld - Apple Inc. today issued security updates to patch four vulnerabilities in Mac OS X and the Safari beta, marking the second time in eight days that the company has had to fix its newest browser, which runs on both Mac and Windows XP and Vista machines.

The 2007-006 update for Mac OS X 10.3, "Panther" and 10.4 "Tiger," fixes a pair of problems in Safari -- the production-quality versions bundled with the operating system -- including a memory corruption vulnerability that could end with an attacker in control of the Mac. "Visiting a maliciously crafted Web page may lead to an unexpected application termination or arbitrary code execution," Apple said in its alert.

The second bug, and to Apple, the less serious of the two, is a cross-site scripting flaw (XSS) in Safari that could be used by phishing sites to steal usernames and passwords.

Apple today also updated the Safari beta, first released June 11, to version 3.0.2 for both Mac and Windows. Mac Safari 3.0.2 patches another XSS bug, while the Windows edition fixes that, plus a separate vulnerability that could let an attacker disguise the browser's address bar, perhaps as part of a spoofed site meant to trick users into divulging confidential information, such as bank account passwords.

For Mac users, 2007-006 and the Safari update are mutually exclusive. If a Mac user has installed Safari Beta 3, only the Safari update will be offered; users who haven't bothered to try out the beta will see only the standard Mac OS X update. Windows users can update Safari to 3.0.2 by downloading the new version from Apple's site, or by running the optional Apple Software Update utility.

The just-patched Safari bugs were credited to a team at Adobe Systems Inc., as well as to researchers at Westnet, an Australian Internet service provider, and Westpoint Ltd., a U.K.-based security company. None were accredited to Dave Maynor, one of several researchers who dug up vulnerabilities within a few hours of Safari 3.0's launch last week. Maynor, who said he had found half-a-dozen bugs straight away, refuses to disclose his findings to Apple, part of a year-long feud that goes back to a wireless hack demo Maynor and another researcher gave at last August's Black Hat security conference.

"Due to the cries of 'it doesn't count, it's beta,' we are waiting to release any further information till the browser is released in a final state," Maynor said in an e-mail earlier this week.