Apple patches more Safari 3 holes
June 23rd, 2007If you have installed Safari 3 for Windows (or Mac) then it's time for another update. Safari 3.0.2 beta plugs up a number of vulnerabilities discovered in the browser.
- Safari
CVE-ID: CVE-2007-2398
Available for: Windows XP or Vista
Impact: A maliciously crafted website may control the contents of
the address bar
Description: In Safari Beta 3.0.1 for Windows, a timing issue allows
a web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. This update addresses the issue by restoring the address bar contents if a request for a new web page is terminated. This issue does not affect Mac OS X systems. - Safari
CVE-ID: CVE-2007-2400
Available for: Mac OS X v10.4.9 or later, Windows XP or Vista
Impact: Visiting a malicious website may allow cross-site scripting
Description: Safari's security model prevents JavaScript in remote
web pages from modifying pages outside of their domain. A race
condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, Ed Rowe of Adobe Systems, Inc for reporting this issue. - WebCore
CVE-ID: CVE-2007-2401
Available for: Mac OS X v10.4.9 or later, Windows XP or Vista
Impact: Visiting a malicious website may allow cross-site requests
Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could conduct
cross-site scripting attacks. This update addresses the issue by
performing additional validation of header parameters. Credit to
Richard Moore of Westpoint Ltd for reporting this issue. - WebKit
CVE-ID: CVE-2007-2399
Available for: Mac OS X v10.4.9 or later, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An invalid type conversion when rendering frame sets
could lead to memory corruption. Visiting a maliciously crafted web
page may lead to an unexpected application termination or arbitrary
code execution. Credit to Rhys Kidd of Westnet for reporting this
issue.
Windows users can go get the new download here .
Related Posts
- Apple announces Safari for Windows
- I’ve had enough of Safari for Windows
- Apple busts 13 Mac OS X bugs!
- Apple plugs QuickTime vulnerabilities
- Apple issues patch to fix patch