More Safari for Windows security holes patched

More Safari for Windows security holes patched

Summary: Apple has refreshed its new Safari for Windows browser to patch a pair of vulnerabilities that could cause spoofing and HTTP redirection attacks.

SHARE:

Apple has refreshed its new Safari for Windows browser to patch a pair of vulnerabilities that could cause spoofing and HTTP redirection attacks.

This is the second batch of updates shipped for the beta browser since Apple's heavily hyped release of its flagship browser to the Windows ecosystem.

[NOTE: Click image at left for instructions on configuring Safari to run securely ]

Both vulnerabilities affect Windows XP and Windows Vista users while one patch is available for Safari on the Mac OS X.

Details on the latest patches:

CVE-2007-2398 -- In Safari Beta 3.0.1 for Windows, a timing issue allows a Web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered.

[ Securing Safari: How to run Apple’s browser securely ]

CVE-2007-2400 --Safari's security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This issue affects Mac OS X users.

WebkitApple also released a patch for WebCore to correct an An HTTP injection issue in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could conduct cross-site scripting attacks, Apple said. This affects Mac OS X, Windows XP and Windows Vista.

A fourth vulnerablity, in WebKit, corrects a potential code execution issue affecting Mac OS X, Windows XP and Windows Vista users. This could be exploiting by luring users to a maliciously crafted Web site.

Topics: Windows, Apple, Browser, Hardware, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

79 comments
Log in or register to join the discussion
  • Beware of all Apple software

    Ahhh, I'm so glad I made the decision not to install any Apple software on my Vista machine. It seems that Apple can't release anything that doesn't have gaping wide open security holes!
    NonZealot
    • Have a nice time

      When the first Vista botnets are found ;)
      zkiwi
    • Yeah, good thing this is a beta software...

      Funny thing is, some people will jump all over this yet be an apologist for companies who seem to wait until official release to start fixing the security holes.
      jasonp@...
    • Which is it?

      "Makes me glad I stay far, far, far away from all Apple products. Safari lasted all of 1 hour on my machine before I uninstalled it."

      [u]http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=35225&messageID=649593&start=-9981[/u]

      or

      "I made the decision not to install any Apple software"

      One of the signs of true zealotry is the amazing ability to change fact to fit the ideology (q.v. The Downing Street Memo).

      Still can't keep your story straight, Z-man.
      msalzberg
    • Mac Fan

      Dude you are such a Mac Fan.

      So don't install any Beta software on your main computer, that is only common
      sense.

      Duh.
      MarcB_z
    • Well at least you don't have to worry about EXPLOITS:P

      Pagan jim
      Laff
  • You made the right choice, for someone who's alphabet stops at BETA (NT)

    NT
    Non-Zealand
  • It's not the browser...

    Apple is just learning how hard it is to protect the swiss-cheese infrastructure underneath it.
    BitTwiddler
    • Yeah... that explains the patch that was issued for OS X

      [i]Apple is just learning how hard it is to protect the swiss-cheese infrastructure underneath it.[/i]

      I think you are correct...

      [b]one patch is available for Safari on the Mac OS X[/b]

      ...OS X is swiss cheese.
      Hallowed are the Ori
    • That is probably the...

      most ignorant post I've seen in some time.
      BFD
      • Then you are easily fooled. (nt)

        .
        No_Ax_to_Grind
    • Oh Really!

      The job of a browser is to protect the local machine. No OS can do it all. If the OS was totally locked down because the apps were flakes, you would be locked out of your own machine. Mozilla doesn't have this problem. Even IE does a better job. This is just an app to interface with the iPhone.
      osreinstall
  • Anyone who has beta-tested knows...

    ...frequent refreshes with security and usability (read bug fixes) is common during a beta.

    While I usually cringe at the "security by denial" apple crowd and try to avoid the total MS support wagon, this is after all a beta and will have issues. The telling point is whether they are fixed during the beta or wait until after RTM to fix. Hopefully they will all be found during the beta but I somehow doubt it - it is designed by humans and is therefore subject to flaws, just like all software.

    Putting the Apple moniker on it does not confer any special status. Nor does putting Microsoft's on its products automatically condemn it.
    Confused by religion
    • Good point Milly

      And actually rather well said. Altghough you would have a very hard tim convincing some of that around here.
      Shelendrea
    • Love that last statement Milly......actually all your words

      ring true.

      Well maybe not the securrity by denial one at least for me that is. But still it was a
      good post.

      Now here is my question to the likes off NonZ and Xunil...everyone including they
      argue like Apple is MS's equal (which on some level I enjoy) but when you think
      about it Apple has so much less than MS in terms of well MONEY and that means a
      lot when one talks about programers and other resources. Wjhat I would like on
      some level is a little bit of credit for Apple to even be in the running with MS.
      When you look at the resources that MS has it is well amazing is it not that Apple
      is here with OSX, the Macintosh, iPod, Safari, iTunes, Apple TV and now the iPhone
      is it not?

      Where is the begrudging admiration for a valiant foe?

      Pagan jim
      Laff
      • Why do I need to post admiration?

        Rev, you, Tic and that silly striped overgrown pussycat do enough for Apple here, and not all of it positive. ;)


        When you have someone like Steve Jobs at the helm, there is little about the company I admire. Do I like their products? They are okay. Do I use their products? I have an iBook I am about to eBay. Good or bad experience? Not particularly bad but not nearly good enough to make me an "adder" (as opposed to switcher).

        There really are 10 kinds of people in the world, those who like Apple and those who like Microsoft. Everyone else is in denial <gd&r>
        Confused by religion
        • Job's is besides the point I was making...

          Apple is X in terms of resources. MS is Y. One is considerably larger than the
          other and there for can afford more programers and researchers and testers et al.
          I would think the much smaller company would get at least some credit for not
          only keeping pace but sometimes winning an occasional skirmish...ie iPod for
          instance.

          Is Steve Jobs that offensive to people...don't get it myself I don't particularly
          worship him but I hardly think he's more or less offensive than many a CEO I've
          seen over the years including Balmer and Gates. Plus a host of others in this
          industry and others. How does Job's stand out to you anyway? What has has he
          done that offends you so much? I mean above and beyond so many others?

          Pagan jim
          Laff
          • I do give Apple credit for hanging in there

            Yes, they are a small company with 4 products now - iPod, the Macs (Server and desktop), Apple TV and soon the iPhone.

            As for what I dislike about SJ is his whole snippish, sniping, whining behavior, besides the bold-faced lies he promotes through his advertisements.

            Anyone whose opening remarks can be counted on to be a shot across Microsoft's bow does nothing to represent his company, rather it promotes them as an also ran who has to run down the big guy in order to justify whatever he is talking about. Not a very good strategy and one not taught at the Toastmasters.

            I know that he resents Microsoft and their success, however he needs to restrain himself from showing that resentment every time he opens his mouth.
            Confused by religion
  • Is there more to Safari on Windows than iphone sync ability?

    Some have said Apple is hoping to swing people toward the Mac with Safari as well as providing iphone interface for Windows? <br>
    I'm not sure how much QT or iTunes has been able to manage this, so why would there be any expectations with Safari. Quite honestly, with Apple's history of writing poor code for Windows, I would expect to see an opposite effect and if anything this will help drive Vista growth.
    xuniL_z
    • I don't know about that....seems the iPod and iTunes for

      WINDOWS has done a good job for Apple.

      Still I think there is a fair chance the the refresh of the iMac will be a larger screen
      HD TV ability with the ability to snap off the stand and hand on the wall if one
      chooses. So the iMac will be a computer and HD entertainment center that ties
      nicely into the whole Apple TV/iPhone/iPod/iTunes and Safari mix. Since the iMac
      will be able to run either Windows or OSX well there you have it a complete circle
      for Windows or OSX users or both!!!!

      Pagan jim
      Laff