14 DAY TRIAL // Alongside the release of Mac OS X 10.5.7, Apple has issued an update for Safari users. Bringing the version number to 3.2.3 on both Mac and Windows platforms, the company has addressed three critical security issues in the browser, detailing each and every one in two Support pieces on its website. Both the Safari 4 Public Beta and Safari 3.2.3 have received the fixes, while users are strongly encouraged to download and install the update.
According to Apple, Safari suffered from three major security issues reported by Billy Rios of Microsoft Vulnerability Research (MSVR), and Alfredo Melloni and Nils, working with TippingPoint's Zero Day Initiative.
The support documents containing details about the security content of Safari 3.2.3 and Safari 4 Public Beta reveal that a heap buffer overflow exists in libxml's handling of long entity names. According to Apple, visiting a maliciously crafted website may lead to an unexpected application termination or to arbitrary code execution. The company proceeded to include a patch for this issue, addressing it through improved bounds checking in both versions of Safari (3.2.3 and 4 Beta), as well as on the Windows side. Tiger users are also affected by the problem, so updating is necessary.
Available only for Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista, multiple input validation issues exist in Safari's handling of "feed:" URLs, Apple has learned thanks to the research done by Billy Rios of Microsoft Vulnerability Research (MSVR), and Alfredo Melloni. Accessing a maliciously crafted "feed:" URL may lead to the execution of arbitrary JavaScript, the duo have found. The update available for Safari users today contains a patch for this issue as well. The fix was possible by performing additional validation of "feed:" URLs. Systems running Mac OS X versions lower than 10.5 are not affected, while the patch has already been included in Mac OS X 10.5.7, as well as in Security Update 2009-002.
Lastly, Apple reports a WebKit problem available for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, and Windows XP or Vista. The Mac maker has learned that a memory corruption issue exists in WebKit's handling of SVGList objects, thanks to tests carried out by Nils working with TippingPoint's Zero Day Initiative.
"Visiting a maliciously crafted website may lead to arbitrary code execution," the support document reads. "This update addresses the issue through improved bounds checking. This issue is addressed in Safari 3.2.3," the description ends.
As noted above, Safari 3.2.3 is included in the Mac OS X v10.5.7 Update. The latest version of Leopard is actually required so that Safari 3.2.3 can work on Mac OS X, as is Mac OS X v10.4.11 (on Tiger-running machines) with Security Update 2009-002 installed.