Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple plugs holes in WebCore, WebKit, and Safari 3.0 beta

Prince McLean |

Two new patches released by Apple Inc. on Friday afternoon address security issues with Mac OS X web frameworks and the company's recently-released Safari 3.0 beta for both Mac and Windows PCs.

Security Update 2007-006

The first of the two updates, Security Update 2007-006, corrects a HTTP injection issue that exists in WebCore's XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could conduct cross-site scripting attacks, Apple said. The security update addresses the issue by performing additional validation of header parameters.

The patch also corrects an invalid type conversion that occurs when WebKit renders frame sets, which could lead to memory corruption. If exploited by a maliciously crafted web page, the vulnerability could lead to an unexpected application termination or arbitrary code execution, Apple said.

Security Update 2007-006 is available as a 2.7MB download for PowerPC Macs running Mac OS X 10.4.9 or later, a 4.5MB download for Intel Macs running Mac OS X 10.4.9, or a 2.2MB download for PowerPC Macs running Mac OS X 10.3.9.

Safari 3 Beta Update 3.0.2

Also on Friday, Apple issued Safari 3 Beta Update 3.0.2 for both Macs and Windows PCs. The updates includes both of the aforementioned fixes and adds two Safari-specific security enhancements.

The first, Apple said, applies to a timing issue in Safari Beta 3.0.1 for Windows that allows a web page to change the contents of the address bar without loading

the contents of the corresponding page.

The glitch, which does not apply to Mac OS X systems, could theoretically be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. Safari 3.0.2 addresses the issue by restoring the address bar contents if a request for a new web page is terminated.

The other fix, which applies to both the Mac and Windows version of Safari 3.0.1, targets a race condition in page updating that when combined with HTTP redirection may allow JavaScript from one page to modify a redirected page.

"This could allow cookies and pages to be read or arbitrarily modified," Apple explained.

Safari 3.0.2, which was released via Apple's Software Update mechanism, addresses the issue by correcting access control to window properties.

 

Top Stories

article thumbnail

Amazon's latest Apple deals make perfect Mother's Day gifts (and prices start at just $24)

article thumbnail

Apple's macOS 15 to get rare cognitive boost via Project GreyParrot

article thumbnail

How to use Delta to emulate retro games on your iPhone

article thumbnail

New HomePod part leak shows off glossy display cover

article thumbnail

Apple Notes in iOS 18 looks to up the ante with Microsoft OneNote

article thumbnail

When to expect every Mac to get the AI-based M4 processor

article thumbnail

Grab Apple's new M3 MacBook Air for $999