More Safari for Windows security holes patched

Summary:Apple has refreshed its new Safari for Windows browser to patch a pair of vulnerabilities that could cause spoofing and HTTP redirection attacks.

Apple has refreshed its new Safari for Windows browser to patch a pair of vulnerabilities that could cause spoofing and HTTP redirection attacks.

This is the second batch of updates shipped for the beta browser since Apple's heavily hyped release of its flagship browser to the Windows ecosystem.

[NOTE: Click image at left for instructions on configuring Safari to run securely ]

Both vulnerabilities affect Windows XP and Windows Vista users while one patch is available for Safari on the Mac OS X.

Details on the latest patches:

CVE-2007-2398 -- In Safari Beta 3.0.1 for Windows, a timing issue allows a Web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered.

[ Securing Safari: How to run Apple’s browser securely ]

CVE-2007-2400 --Safari's security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This issue affects Mac OS X users.

Webkit
Apple also released a patch for WebCore to correct an An HTTP injection issue in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could conduct cross-site scripting attacks, Apple said. This affects Mac OS X, Windows XP and Windows Vista.

A fourth vulnerablity, in WebKit, corrects a potential code execution issue affecting Mac OS X, Windows XP and Windows Vista users. This could be exploiting by luring users to a maliciously crafted Web site.

Topics: Windows, Apple, Browser, Hardware, Operating Systems, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.