14 DAY TRIAL // Safari used to be little more than 'Apple's browser' a very niche product that only Mac users used. Apple seems bent on changing all that and taking Safari further into the mainstream, not only by enticing sites to become more compatible with it but also by expanding the number of computers that the program can run on.
With the iPhone using Safari as its one and only browser and with the device being the popular new gadget to have, more and more sites are making sure that they can properly work of the device. It makes sense as the iPhone is a very practical tool, both for customers and businesses and companies want to be able to work with it. The fact that more sites are becoming compatible with all versions of Safari is a side effect that most of these companies are not even aware of. Safari for Windows was the first step towards expanding the potential user base of the program. Despite being off to a bumpy start, Apple's browser certainly saw interest, either from Mac users that wanted the same browsing experience when they have to work on PCs, or from developers that want to test their sites with the program.
Various bugs and vulnerabilities were discovered in the latest versions of Safari and Apple has been quick as usual to close the holes, this latest update being a prime example. Some of the vulnerabilities addressed in this update are the same as the ones that affected the iPhone.
Safari Beta 3.0.3 is recommended for all users and improves its security and stability. Safari Beta Update 3.0.3 is available via Software Update.
Safari 3 Beta Update 3.0.3 security content:
■ Safari CVE-ID: CVE-2007-3743 Available for: Windows XP or Vista Impact: Adding bookmarks may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow vulnerability exists in Safari's bookmark handling. By enticing a user to add a bookmark with an overlong title, an attacker may trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing proper bounds checking. This issue does not affect Mac OS X systems.
■ WebKit CVE-ID: CVE-2007-2408 Available for: Mac OS X v10.4.9 or later, Windows XP or Vista Impact: Visiting a malicious website may allow Java applets to load and run even when Java is disabled Description: Safari provides an "Enable Java" preference, which when unchecked should prevent the loading of Java applets. By default, Java applets are allowed to be loaded. Navigating to a maliciously crafted web page may allow a Java applet to be loaded without checking the preference. This update addresses the issue through a stricter check of the "Enable Java" preference. Credit to Scott Wilde for reporting this issue.
■ WebKit CVE-ID: CVE-2007-3742 Available for: Mac OS X v10.4.9 or later, Windows XP or Vista Impact: Look-alike characters in a URL could be used to masquerade a website Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.
■ WebKit CVE-ID: CVE-2007-3944 Available for: Mac OS X v10.4.9 or later, Windows XP or Vista Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.