Apple plugs holes in WebCore, WebKit, and Safari 3.0 beta
Two new patches released by Apple Inc. on Friday afternoon address security issues with Mac OS X web frameworks and the company's recently-released Safari 3.0 beta for both Mac and Windows PCs.
The first of the two updates, Security Update 2007-006, corrects a HTTP injection issue that exists in WebCore's XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could conduct cross-site scripting attacks, Apple said. The security update addresses the issue by performing additional validation of header parameters.
The patch also corrects an invalid type conversion that occurs when WebKit renders frame sets, which could lead to memory corruption. If exploited by a maliciously crafted web page, the vulnerability could lead to an unexpected application termination or arbitrary code execution, Apple said.
Security Update 2007-006 is available as a 2.7MB download for PowerPC Macs running Mac OS X 10.4.9 or later, a 4.5MB download for Intel Macs running Mac OS X 10.4.9, or a 2.2MB download for PowerPC Macs running Mac OS X 10.3.9.
Safari 3 Beta Update 3.0.2
Also on Friday, Apple issued Safari 3 Beta Update 3.0.2 for both Macs and Windows PCs. The updates includes both of the aforementioned fixes and adds two Safari-specific security enhancements.
The first, Apple said, applies to a timing issue in Safari Beta 3.0.1 for Windows that allows a web page to change the contents of the address bar without loading
the contents of the corresponding page.
The glitch, which does not apply to Mac OS X systems, could theoretically be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. Safari 3.0.2 addresses the issue by restoring the address bar contents if a request for a new web page is terminated.
The other fix, which applies to both the Mac and Windows version of Safari 3.0.1, targets a race condition in page updating that when combined with HTTP redirection may allow JavaScript from one page to modify a redirected page.
"This could allow cookies and pages to be read or arbitrarily modified," Apple explained.
Safari 3.0.2, which was released via Apple's Software Update mechanism, addresses the issue by correcting access control to window properties.
18 Comments
Not only did Apple plug the aforementioned security holes, they have also fixed a couple of text rendering/entry issues I have been experiencing on my localized version of Windows that made the web experience with Safari less merry than that with Internet Explorer. Hooray for Apple!
Safari 3.0.2 freezes on my PPC when downloading anything
Safari 3.0.2 freezes on my PPC when downloading anything
Thus, the term "beta".
Thus, the term "beta".
It's an often-misused term. Some projects, such as Google's projects, are "Beta" and left at that designation despite being production quality for a long time. Apple's Safari was too ridiculously problematic to deserve the designation. Mozilla's developer nightlies are about as stable or more stable than Safari was.
Safari for Windows 3.0 was a big disappointment as I couldn't create any bookmarks on Windows XP nor import existing Firefox bookmarks.
Was the issue tied to the French language localization, or the Firefox bookmarks? I wouldn't know, but the whole experience was a disaster.
Crash reports were dutifully sent to Apple, so that Apple is aware of the problem. Hopefully, it will soon be corrected. But, don't count on me to test alpha or beta software from Apple. Once burnt, twice shy.