TechWeb

Apple Security Update Patches Safari 3 Beta

Jun 26, 2007 (11:06 AM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=200000815


Apple on Monday released security updates for vulnerabilities in its Mac OS X, as well as its Safari for Windows beta, which has had early trouble with multiple bugs.

The update marks the second time in just more than a week that Apple has had to update its Safari 3 beta, which is designed for both the Mac and the Windows operating systems. Both patches in Security Update 2007-006 affect Safari. One patch fixes a remote code execution bug in WebKit, which is an open source Web browser engine. The second patch fixes a flaw that causes cross-site requests in WebCore, which is a framework for Mac OS X.

Apple noted in an online advisory that the WebKit bug is caused by an invalid type conversion when rendering frame sets. Apple reported that it could lead to memory corruption. "Visiting a maliciously crafted Web page may lead to an unexpected application termination or arbitrary code execution," according to the advisory.

Apple credits Rhys Kidd of Westnet for reporting the issue.

The WebCore flaw is an HTTP injection issue that exists in XMLHttpRequest when serializing headers into an HTTP request, according to Apple. By luring a user to visit a malicious Web page, an attacker could remotely execute cross-site scripting attacks. This patch is designed to fix the flaw by performing additional validation of header parameters.

Apple credits Richard Moore of Westpoint for reporting the bug.

This is the second security update Apple has issued to fix problems in its Safari beta. The first update patched three of the multiple vulnerabilities that researchers found in the beta immediately upon its release. Safari 3.0.1 Public Beta for Windows fixes two flaws that only affect the Windows version of Apple's browser, along with one vulnerability that affects Windows and also could crash the browser running on the Mac OS X operating system.

"I think it was obvious they had to do this to save the day since there were so many problems with the release," said Johannes Ullrich, chief research officer of the SANS Institute and chief technology officer for the Internet Storm Center, in a previous interview. "For a beta product like this, it's really in development, so it's for people to play with and test. And they really have."