"By enticing a user to visit a maliciously crafted web page, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the
issue by performing additional processing and validation of URLs," Apple said in an advisory.
Larholm confirms the bug has been fixed but suggests there may still be some related problems:
Quotes and whitespace [are] now filtered on any requests to external URL protocol handler applications, but other characters are still being passed without filtering so I expect to find some variations pretty soon.
The browser refresh is available via the "Apple Software Update" application,
which is installed with the most recent version of QuickTime or iTunes on Windows and should be treated as a high-priority update. Beta testers (Windows XP and Vista) can download Safari 3.0.1 here.
CVE-2007-3185 -- Visiting a malicious website may lead to an unexpected application termination or arbitrary code execution because of an "out-of-bounds memory read issue."
Apple claims that none of the bugs affect Safari on the Mac OS X platform.