Apple plugs three Safari for Windows holes

Apple plugs three Safari for Windows holes

Summary: Apple has responded swiftly to the discovery of vulnerabilities in its new Safari for Windows browser, rushing out fixes for a trio of potentially dangerous security flaws.

TOPICS: Apple, Windows

Apple has responded swiftly to the discovery of vulnerabilities in its new Safari for Windows browser, rushing out fixes for a trio of potentially dangerous security flaws.


The new Safari 3.0.1 Public Beta confirms and fixes a remote code execution hole found by Danish hacker Thor Larholm and two other undocumented denial-of-service/code execution bugs.

"By enticing a user to visit a maliciously crafted web page, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional processing and validation of URLs," Apple said in an advisory.

Larholm confirms the bug has been fixed but suggests there may still be some related problems:

Quotes and whitespace [are] now filtered on any requests to external URL protocol handler applications, but other characters are still being passed without filtering so I expect to find some variations pretty soon.

The browser refresh is available via the "Apple Software Update" application, which is installed with the most recent version of QuickTime or iTunes on Windows and should be treated as a high-priority update. Beta testers (Windows XP and Vista) can download Safari 3.0.1 here.

[ SEE: Safari on Windows could be big target for malware ]

Details on the two other bugs:

CVE-2007-3185 -- Visiting a malicious website may lead to an unexpected application termination or arbitrary code execution because of an "out-of-bounds memory read issue."

CVE-2007-2391 -- Visiting a malicious website may allow cross-site scripting because of a "race condition" issue. This could also allow access to JavaScript objects or the execution of arbitrary JavaScript in the context of another web page if a user is lured to a malicious Web page.

Apple claims that none of the bugs affect Safari on the Mac OS X platform.

Topics: Apple, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I admit?

    my initial thoughts on the Safari Beta was, "Apple what are you doing?" But such a quick response to the issues with this update, I think, is commendable. This thing is a Beta but Apple realizes what is at stake in terms of their reputation and is reacting appropriately. This type of "swift" response should be commended yet I know the "Non_Zealots" will share their "opinion" on why Apple is the worst company in the Industrialized World. I would be saying the same thing if it was MS so please save the assumptions.
  • A nice step in the right direction

    Now, rather than keeping the cocky attitude about security, maybe they should try promoting an image which says "Hey, nobody's perfect, but at least we're taking it seriously and are on top of it". And you promote that image not through another Mac vs. PC commercial, but by actually doing it. Again, nice step.
    Michael Kelly
    • It's only cocky

      to people feeling threatened by it.

      Fact is, OS X is a more secure computing experience than Windows. When the FBI grabbed that million machine botnet the other day, those computers were not running OS X.
      • More secure is not good enough

        The Mac vs. PC ads act as if security is a non-issue. It may be better than the Windows platform (although Windows has improved its record quite a bit since the early part of the decade) but you cannot pretend that an Apple user can ignore security, which is what the ads suggest. Suggesting there are no weaknesses when there clearly are does qualify as "cocky".

        And stop comparing the product to something that's weaker. You should strive for something better.
        Michael Kelly
        • Hehe, always found that funny too

          [i]And stop comparing the product to something that's weaker. You should strive for something better.[/i]

          The standard battlecry of the Mac zealot: [i]Windows is the swiss cheese of OSs, it is impossible to use it without immediately being infected, it is the worst of the worst of all the OSs ever created. OSX is better than that.[/i]

          Quite frankly, if I was interviewing someone and they told me that they can code better than a 2 year old, it would raise a couple red flags. :)
          • Let me make sure I have this right

            [i]Quite frankly, if I was interviewing someone and they told me that they can code better than a 2 year old, it would raise a couple red flags.[/i]

            So then, you are actually comparing MS coders to 2 year olds? Maybe you actually *are* a Non Zealot.

        • Well I've always said that Apple's adds are aimed at

          the miilions of users out there who haven't upgraded in a while who very well may
          still be using Win95, WinME, Win98 and or Win2000. They do exist and they are
          ripe for a new system so why not push the benefits of one which can do both and
          is "MORE" secure than what they are currently using? None I think....

          So why is it again that the Mac User has to take security into account again?
          Where is the damage doing exploit? Where is the exploit period? Who has been
          struck by this menace and what happened to said?

          Pagan jim
          • Mac vs PC Ads work

            Actually Mac vs PC ads are a clever way Apple promotes the differences between a
            Mac and a typical Windows PC. Apple never did this successfully in the past.
            "Think different!" was more of a designer jeans or Lexus style ad campaign. The
            great super bowl ad in 1984 was genius in a dark sort of way, but probably did
            little to help Apple. The Lemmings ad, most Windows users didn't understand.

            One difference between Mac and Windows PC is that with a Mac, you don't have to
            spend as much time worrying about security. If you run Windows on a cable
            modem which is connected all the time and you visit quite a few web sites, even
            with pain in the butt security software, you are likely to get a virus and some
            spyware. Unprotected, you are scr...d. You can run a Mac with a standard
            configuration and you will most likely NEVER get a viruses or spyware. Now, that
            doesn't mean that some day someone won't come up with a Mac exploit in the
            wild, but if you read ZD Net and PC magazine or even MacWorld, the day when a
            REAL virus or exploit comes out, it will be huge news before it infects 10 machines
            because unlike Windows which has new exploits come out daily in the wild, even
            fake exploit FUD on the Mac makes big news.

            Still there are Mac security solutions and Apple is quick to update possible
            security problems, so Mac users need to be on their toes, but we don't really have
            to worry about security constantly like Windows users do. Before I get flamed by
            the anti Mac zealots, "Yes, I'm sure many of you have great security on your
            networks and have never had security problems." But you have to work hard to
            keep your computers or network that way and all I can say is good job. Mac users
            enjoy the same thing without the hard work and attention to detail.

            OK, about the Safari Beta. It's Beta. Still Apple has updated it within 2 days of
            release. Apple putting Safari on Windows does a couple of things. It paves the way
            for the iPhone and if it achieves a higher market share. Safari has a 7% market
            share running only on Macs, so it is fairly successful already. Safari is standards
            based, so along with Firefox and a few other browsers, people will write fewer IE
            only web pages which annoy everyone, but especially Mac users. I run Parallels
            mostly for that reason, the one or two IE only sites that I need to go to and also
            for the few morons who think you can create ads for print with Microsoft
        • The ads don't suggest there are no weaknesses

          They only suggest that you don't have virus or spyware problems on the Mac, and
          that is true. To suggest that there will never be a problem or that Apple isn't
          always updating its OS to keep from having the same problems you find in
          Windows would not be true. Part of the reason Apple enjoys virtually no security
          problems stems from the fact that if someone finds an exploit or weakness, Apple
          has a few days to fix it before exploits appear in the wild. Windows machines get
          exploited within hours of finding a weakness.

          Still, you have to admit that Apple patching their beta software within 2 days of
          initial beta release is pretty quick for a patch. I'm sure they will be patching Safari
          3 a lot more before it becomes a standard release. Also, any specific complaints
          you have about Safari, you should complain loudly now! Apple is all ears at this
          point. They actually want you to have a good experience with Safari. This is
          important for the iPhone which Apple has big plans. Flop or not, Apple has a lot of
          Apples in the iPhone basket. Apple has never had any product as highly
          anticipated as the iPhone. I think it's insane and wish they would just keep
          building great computers, but no doubt some of the technologies that are being
          pushed for the iPhone will be good for everyone. I think safari 3 is one of them.
  • point is moot

    After using Safari for a little more than two days, I have found it to be too clunky for my taste. The appearance is clean and uncluttered but it is a hassle to keep having to click twice to access my Firefox bookmarks, then having to double click on each bookmark to get to the page. It isn't faster than Firefox or the other browsers. It doesn't offer any dramatic new features and it isn't all that beautiful. Without any compelling reasons, it's been uninstalled.
    • Hmmm

      And I thought the article was about security. But I guess we all need to know why everyone hates Safari too.
    • Well gee...

      Sorry you are too ignorant to just move the bookmarks to the bookmarks window/bar using the bookmarks manager. For me it runs very fast, but I do have one issue with it. And this is the fact that I use a hidden task bar, and safari won't let me see it if its maximized.
      • Product is beta

        Any complaints or problems you have with Safari, you should keep posting about
        them. Try to notify Apple or post on Mac specific blogs. One thing good about Apple
        is that normally they listen to their customers, because for Apple customer
        experience is one of their top priorities. There have been times in Apple's past where
        they didn't listen to customers and it has come back to hurt them in the pocket book.

        As much as you hear about Mac zealots defending their platform. They also complain
        a lot about Apple and believe it or not Apple listens.
    • You shouldn't have to click twice for bookmarks...

      You shouldn't have to click twice for bookmarks, you just select it from your menu.

      As for your Firefox bookmarks, click the icon on the far left of your toobar that looks like a Book. You can manage all your bookmarks that way. Move your imported Firefox bookmarks to your main bookmark menu and/or toolbar, or, however else you want to organize it.
    • Safari beta is web standards compliant on Windows.

      Be sure to test Safari beta, IE 6, IE 7, Firefox 2 or whatever browser you use in
      Windows against the Web Standards to see how it fares. You will be unpleasantly
      surprised to see how the most popular browser on Windows does, how sad.

      The Acid 2 Test

      List of compliant browsers
      • Ok, I tested Opera 9.21 and unsurprisingly, it passed...

        Again, what exactly does Safari bring to the browser gene pool (other than the threat of turtlenecks)?
    • In other words

      It was different than you were used to and you didn't have the time to spend learning
      how to use it properly, so you just ditched it. Fine. But there's really nothing wrong
      with the bookmarking features. They're very well designed. The best I've ever found.

      Moving your most frequently used bookmarks to either Bookmarks menu or the
      Bookmarks tool bar makes them single clickable. They are double clickable in the
      management pane because they are also selectable and editable in that context.

      Live and learn huh?
      Len Rooney
    • sounds like...

      sounds like you need to learn how to organize and use your bookmarks correctly.
      • of course you're right...

        I am too lazy to get used to a new browser. My point wasn't to say Safari sucks. I am merely pointing out that there is nothing outstanding about it. That's all. No need to get all upset and start calling people ignorant. Lazy yes, ignorant, don't think so.
        • But,

          isn't your laziness to blame for the ignorance you exhibited in your intial post?

          No offense, just trying to keep you honest here. ie, I am not calling you ignorant, just your posts, and level of knowledge.