If you have installed Safari 3 for Windows (or Mac) then it's time for another update.  Safari 3.0.2 beta plugs up a number of vulnerabilities discovered in the browser.

• Safari
  CVE-ID:  CVE-2007-2398
  Available for:  Windows XP or Vista
  Impact:  A maliciously crafted website may control the contents of
  the address bar
  Description:  In Safari Beta 3.0.1 for Windows, a timing issue allows
  a web page to change the contents of the address bar without loading the contents of the corresponding page.  This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered.  This update addresses the issue by restoring the address bar contents if a request for a new web page is terminated.  This issue does not affect Mac OS X systems.
• Safari
  CVE-ID:  CVE-2007-2400
  Available for:  Mac OS X v10.4.9 or later, Windows XP or Vista
  Impact:  Visiting a malicious website may allow cross-site scripting
  Description:  Safari's security model prevents JavaScript in remote
  web pages from modifying pages outside of their domain.  A race
  condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page.  This could allow cookies and pages to be read or arbitrarily modified.  This update addresses the issue by correcting access control to window properties.  Credit to Lawrence Lai, Stan Switzer, Ed Rowe of Adobe Systems, Inc for reporting this issue.
• WebCore
  CVE-ID:  CVE-2007-2401
  Available for:  Mac OS X v10.4.9 or later, Windows XP or Vista
  Impact:  Visiting a malicious website may allow cross-site requests
  Description:  An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request.  By enticing a user to visit a maliciously crafted web page, an attacker could conduct
  cross-site scripting attacks.  This update addresses the issue by
  performing additional validation of header parameters.  Credit to
  Richard Moore of Westpoint Ltd for reporting this issue.
• WebKit
  CVE-ID:  CVE-2007-2399
  Available for:  Mac OS X v10.4.9 or later, Windows XP or Vista
  Impact:  Visiting a maliciously crafted website may lead to an
  unexpected application termination or arbitrary code execution
  Description:  An invalid type conversion when rendering frame sets
  could lead to memory corruption.  Visiting a maliciously crafted web
  page may lead to an unexpected application termination or arbitrary
  code execution.  Credit to Rhys Kidd of Westnet for reporting this
  issue.

Windows users can go get the new download here .

This entry was posted by the PC Doctor on Saturday, June 23rd, 2007 at 09:49 and is filed under PC Doctor's Useful Links. Responses are currently closed, but you can trackback from your own site.