Apple Patches CanSecWest Safari Bug
A week after Adobe patched the vulnerability used to compromise the Vista laptop at CanSecWest 08, Apple have released an update for Safari, through Security Advisory 2008-04-16, that addresses the vulnerability used to compromise the MacBook Air that was compromised the day before. The most up to date version of Safari is now 3.1.1.
From Apple's Advisory, released early on April 17, there are two vulnerabilities patched that affect only the Windows versions of Safari, and two that affect both OS X and Windows (in WebKit - the framework that Safari is built on).
For Windows users, the platform-specific vulnerabilities are a spoofing vulnerability where a site can modify the address bar contents through a timing flaw. This is a bug that was originally patched in version 3.0.2 but was reintroduced with Safari 3.1. The remaining Windows-specific flaw is a potential remote code execution / denial of service (application crash) bug where attempting to download a file with a maliciously crafted name can trigger a memory flaw that can either crash the application or execute arbitrary code.
Users who want to update to the latest version of Safari can do so through the Apple Software Update application (in the Apple Menu on OS X), or through the Apple website.
19 April 2008
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.