14 DAY TRIAL // While not yet present in Apple's Downloads section, our Windows-running PCs (yeah, we have those, too) have detected a new version of the Safari browser. Safari 3.2.2 for Windows addresses a potential security issue when accessing a maliciously crafted feed.
Windows users can download Safari 3.2.2 using the Apple Software Update application that was automatically installed the first time their PC got Apple software. The web browser has been patched to solve input validation problems with feed URLs, according to Apple, who credits Clint Ruoho of Laconic Security, Billy Rios of Microsoft, and Brian Mastenbrook for reporting the issues present in the Windows version of Safari.
Apparently, these issues could be used to run arbitrary JavaScript within a PC's local security zone. Both Windows and Mac users are affected by this threat. However, instead of taking the Mac version of Safari to 3.2.2, the company decided to include these fixes with the 2009-001 Security Update for Mac OS X Tiger and Leopard.
While the contents of the Safari update are more complex, the Windows Software Update only says that “Safari 3.2 introduces protection from fraudulent phishing websites and better identification of online businesses” (pictured above). From Apple's Support section, the complete description of the Safari vulnerability (now patched in version 3.2.2) goes as follows:
Safari 3.2.2 for Windows
CVE-ID: CVE-2009-0137
Available for: Windows XP or Vista
Impact: Accessing a maliciously crafted feed: URL may lead to arbitrary code execution
Description: Multiple input validation issues exist in Safari's handling of feed: URLs. The issues allow execution of arbitrary JavaScript in the local security zone. This update addresses the issues through improved handling of embedded JavaScript within feed: URLs. These issues do not affect Mac OS X systems that have applied Security Update 2009-001. Credit to Clint Ruoho of Laconic Security, Billy Rios of Microsoft, and Brian Mastenbrook for reporting these issues.