Apple releases Safari 3.1.1 security update

Under cover of darkness, Apple released Safari 3.1.

Apple releases Safari 3.1.1 security update
Under cover of darkness, Apple released Safari 3.1.1 via Software Update tonight. In typical Apple form the description is purposefully vague, recommending the update "for all Safari users" and telling us that it "includes improvements to stability, compatibility and security." A-ha.

Apple's About the security content of Safari 3.1.1 page tells a little more, stating that the update fixes two nasty Webkit bugs (in the Mac OS version):

  • WebKit CVE-ID: CVE-2008-1025 Impact: Visiting a malicious website may result in cross-site scripting

  • WebKitCVE-ID: CVE-2008-1026 Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution

I bet that this Safari update fixes the exploit that was discovered at the CanSecWest hacking contest on 31 March by Charlie Miller who won a MacBook Air (and $10,000 cash) after breaking into the machine via one of the its built-in apps (presumably Safari).