More Safari for Windows security holes patched

Apple has refreshed its new Safari for Windows browser to patch a pair of vulnerabilities that could cause spoofing and HTTP redirection attacks.

This is the second batch of updates shipped for the beta browser since Apple's heavily hyped release of its flagship browser to the Windows ecosystem.

[NOTE: Click image at left for instructions on configuring Safari to run securely ]

Both vulnerabilities affect Windows XP and Windows Vista users while one patch is available for Safari on the Mac OS X.

Details on the latest patches:

CVE-2007-2398 -- In Safari Beta 3.0.1 for Windows, a timing issue allows a Web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered.

[ Securing Safari: How to run Apple’s browser securely ]

CVE-2007-2400 --Safari's security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This issue affects Mac OS X users.

Apple also released a patch for WebCore to correct an An HTTP injection issue in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could conduct cross-site scripting attacks, Apple said. This affects Mac OS X, Windows XP and Windows Vista.

A fourth vulnerablity, in WebKit, corrects a potential code execution issue affecting Mac OS X, Windows XP and Windows Vista users. This could be exploiting by luring users to a maliciously crafted Web site.