More Safari security bugs fixed

Stephen Withers
Monday, 25 June 2007 10:39

Business IT - Technology

Apple has released a third beta of Safari 3, fixing three cross-platform vulnerabilities plus one that is Windows-specific.

The bug specific to the Windows implementation is in Apple's WebCore framework. It allows a web page to change the contents of the address bar without loading the corresponding page, providing a means to spoof another site.

The cross-platform issues are a cross-site scripting vulnerability in Safari itself, another cross-site scripting vulnerability in WebCore, and an invalid type conversion in WebKit (the open source project on which Safari is based) that could cause memory corruption and hence either an unexpected termination or the execution of arbitrary code.

The new version is available via the Apple Software Update utility or from Apple's web site.

In related news, Security Update 2007-006 for Mac OS X 10.3.9 and 10.4.9 patches WebCore to address the cross-site scripting vulnerability and WebKit to remove the invalid type conversion. These are the same issues fixed by Safari 3.0.2, and so the update will not be automatically offered to Macs which have the Safari 3 beta installed.

The update is available via Software Update or from Apple's web site.