Search Perform an advanced search query SOFTPEDIA
 
SOFTPEDIA
Updated one minute ago
HomeSubmit a program for being reviewedAdvertise on our websiteGet help on surfing our websitesSend us your feedbackGet information about our XML/RSS backend and how to use itBrowse the news archiveVisit our discussion forumVizitati forumul in limba romana



KLIP
  1. HOME
  2. SCIENCE
  3. TECHNOLOGY
  4. WEBMASTER
  5. SECURITY
  6. MICROSOFT
  7. LINUX
  8. APPLE
  9. GAMES
  10. TELECOMS
  11. REVIEWS
  12. LIFE & STYLE
  13. EDITORIALS
  14. INTERVIEWS
  15. RSS
Welcome!
Hello, Guest

Login if you have a Softpedia.com account.

Otherwise, register for one.

MAC

Safari 3.1.1 Fixes PWN 2 OWN Flaw and Other Security Issues

- Mozilla Firefox also patched

By: Filip Truta, Apple News Editor

Updates are now available for Safari and Firefox (Mac and Windows) users. Both Safari 3.1.1 and FireFox 2.0.0.14 address security issues. As some of you
may have already hinted, with the release of Safari 3.1.1, Apple has patched the flaw Charlie Miller used to win 10 Gs and a MacBook Air in the PWN 2 OWN contest at CanSecWest. Other security issues concerning Tiger (10.4.11) and Leopard (10.5.2) have been covered with Safari 3.1.1, as well as two security issues affecting Windows XP/Vista users.

MAC

CVE-2008-1026
Apple notes that it has fixed the issue where a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution, mentioning a heap buffer overflow in WebKit's handling of JavaScript regular expressions as the cause. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution,Apple says. Safari 3.1.1 addresses the issue by performing additional validation of JavaScript regular expressions.

Apple credits Charlie Miller for reporting the issues.

CVE-2008-1025
The patch fixes an issue where a malicious website may result in cross-site scripting: "An issue exists in WebKit's handling of URLs containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack. This update addresses the issue through improved handling of URLs," Apple notes.

WINDOWS

CVE-2007-2398 and CVE-2008-1024
As far as Windows users running Safari are concerned, the patches address issues where a maliciously crafted website that can control the contents of the address bar (patched in a public beta of v3.0 and reintroduced with v3.1) and an issue where a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution due to a memory corruption issue exists in Safari's file downloading respectively.

"By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of file downloads. This issue does not affect Mac OS X systems," Apple says.

Apple recommends that all Safari users update to the latest version of the company's standard web browser. Click HERE to download.

MORE RELATED ARTICLES: Save Image Feature Found with iPhone Software 2.0 (Beta) Don't Blame the Mac, but the Browser EFI Firmware Updates Don't Get Along with Safari Safari Is Bugging Network Administrators PWN to OWN - MacBook Air Compromised in 2 Minutes
 
Comments | Link here | Subscribe
Print | Send to friend
Today's News | Yesterday's News

Search:

TAGS: software update Safari web browser malicious code charlie miller

17th April 2008, 07:13 GMT | Copyright (c) 2008 Softpedia | Contact:
Read by 582 user(s) | Rating: | 4 vote(s) so far | Cast your vote:
Safari 3.1.1 Fixes PWN 2 OWN Flaw and Other Security Issues - USER OPINIONS




We are sorry, there are no opinions available for this article.


SHARE YOUR OPINION ABOUT Safari 3.1.1 Fixes PWN 2 OWN Flaw and Other Security Issues

Since you are not logged on, your comments will have to be approved before being displayed.
Click here to login, or register.
Your Name:
Your Email:
Type in the result:
Your Opinion:
 


DO YOU WANT TO CONTACT US?  

If you have some comments or you want to send us some information you can send us an email directly to .
You can use the form below for the same purpose.
Your full name: (at least 3 characters)
Your email address: (at least 5 characters)
Message subject: (at least 5 characters)
Message text:
(at least 10 characters)
Type in the result:
 
 
© 2001 - 2008 Softpedia. All rights reserved.
Softpedia™ and Softpedia™ logo are registered trademarks of SoftNews NET SRL.
Copyright Information | Privacy Policy | Terms of Use | Contact Softpedia | Update your software | Archive