Safari 3.1.1 Still Not Safe. URL Spoofing Flaw Confirmed

Weeks have passed since Apple issued the latest security patch of its standard web browser, Safari for Mac OS X and Windows users. Version 3.1.1 patched 4 main issues, one of which was a flaw that allowed Charlie Miller to Pwn and Own Apple's MacBook Air, nabbing for himself the laptop and 10 Gs at CanSecWest. The web browser however, even AU (after update) is far from being flawless, research site Secunia warns.

The website issued its warning just over a week after Apple offered the security update. It alleges that both Mac OSX and Windows users of Safari are facing another, "less critical," vulnerability that could potentially allow malicious sites to "spoof" other websites. Juan Pablo Lopez Yacubian reported the vulnerability to Secunia, adding that Safari 3.1.1 has a flaw that can be exploited by malicious people to display a fake URL in the address bar.

"The problem is that it is possible to hide the actual location of a page in the address bar via a specially crafted URL containing a number of certain special characters in the 'user' field before the '@' character," the security advisory noted. Both Mac OS X and Windows Vista users of Apple's standard web browser are currently known for being affected, but other versions of the OS may very well be affected too, according to Secunia. The research site rates the flaw as "less critical". However, Secunia warns that users should avoid untrusted websites and untrusted links nonetheless.

Safari 3.1.1 includes improvements to stability, compatibility and security fixes. Aside from addressing the flaw that allowed Charlie Miller to compromise Apple's MacBook Air at the Pwn2Own contest, as far as the Mac OS X version of the web browser is concerned, the patch also contains fixes for three other issues. Two of those are for the Windows version of Safari.