New MacBook Pros are here! Get the lowest prices anywhere: Apple Price Guides updated Sept 29th (exclusive coupons)
 


Wednesday, April 16, 2008, 02:00 pm PT (05:00 pm ET)

Apple releases Safari 3.1.1 to address four security issues

Apple on Wednesday afternoon released version 3.1.1 of its Safari web browser to address a handful of security issues, including one widely publicized vulnerability that allowed a MacBook Air to be compromised during a recent security conference.

The 39MB release, available for both Macs and Windows PCs, is recommended for all Safari users and includes improvements to stability, compatibility and security.

Specifically, Apple said the update patches four security issues, including a heap buffer overflow that existed within the browser's WebKit framework for handling JavaScript regular expressions.

The issue was reported by Charlie Miller, who discovered and exploited the vulnerability on a MacBook Air to win a $10,000 prize at last month's CanSecWest security conference.

The Safari 3.1.1 update also addressed a second issue within WebKit's handling of URLs containing a colon character in the host name. By exploiting that vulnerability, a hacker could use a maliciously crafted URL to lead a cross-site scripting attack, Apple said.

Two other issues with the Safari application itself were also addressed, though they concerned only the PC version of the browser. One of those issues made it possible for a maliciously crafted website to control the contents of a user's address bar, while the other made it possible for maliciously crafted website to cause arbitrary code execution or the Safari application to unexpectedly quit.