Apple plugs holes in WebCore, WebKit, and Safari 3.0 beta

Posted:
in macOS edited January 2014
Two new patches released by Apple Inc. on Friday afternoon address security issues with Mac OS X web frameworks and the company's recently-released Safari 3.0 beta for both Mac and Windows PCs.



Security Update 2007-006



The first of the two updates, Security Update 2007-006, corrects a HTTP injection issue that exists in WebCore's XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could conduct cross-site scripting attacks, Apple said. The security update addresses the issue by performing additional validation of header parameters.



The patch also corrects an invalid type conversion that occurs when WebKit renders frame sets, which could lead to memory corruption. If exploited by a maliciously crafted web page, the vulnerability could lead to an unexpected application termination or arbitrary code execution, Apple said.



Security Update 2007-006 is available as a 2.7MB download for PowerPC Macs running Mac OS X 10.4.9 or later, a 4.5MB download for Intel Macs running Mac OS X 10.4.9, or a 2.2MB download for PowerPC Macs running Mac OS X 10.3.9.



Safari 3 Beta Update 3.0.2



Also on Friday, Apple issued Safari 3 Beta Update 3.0.2 for both Macs and Windows PCs. The updates includes both of the aforementioned fixes and adds two Safari-specific security enhancements.



The first, Apple said, applies to a timing issue in Safari Beta 3.0.1 for Windows that allows a web page to change the contents of the address bar without loading

the contents of the corresponding page.



The glitch, which does not apply to Mac OS X systems, could theoretically be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. Safari 3.0.2 addresses the issue by restoring the address bar contents if a request for a new web page is terminated.



The other fix, which applies to both the Mac and Windows version of Safari 3.0.1, targets a race condition in page updating that when combined with HTTP redirection may allow JavaScript from one page to modify a redirected page.



"This could allow cookies and pages to be read or arbitrarily modified," Apple explained.



Safari 3.0.2, which was released via Apple's Software Update mechanism, addresses the issue by correcting access control to window properties.

Comments

  • Reply 1 of 18
    knnethknneth Posts: 14member
    Not only did Apple plug the aforementioned security holes, they have also fixed a couple of text rendering/entry issues I have been experiencing on my localized version of Windows that made the web experience with Safari less merry than that with Internet Explorer. Hooray for Apple!
  • Reply 2 of 18
    smqtsmqt Posts: 28member
    Safari 3.0.2 freezes on my PPC when downloading anything
  • Reply 3 of 18
    SpamSandwichSpamSandwich Posts: 33,407member
    Quote:
    Originally Posted by SMQT View Post


    Safari 3.0.2 freezes on my PPC when downloading anything



    Thus, the term "beta".
  • Reply 4 of 18
    jeffdmjeffdm Posts: 12,951member
    Quote:
    Originally Posted by SpamSandwich View Post


    Thus, the term "beta".



    It's an often-misused term. Some projects, such as Google's projects, are "Beta" and left at that designation despite being production quality for a long time. Apple's Safari was too ridiculously problematic to deserve the designation. Mozilla's developer nightlies are about as stable or more stable than Safari was.
  • Reply 5 of 18
    ouraganouragan Posts: 437member
    Safari for Windows 3.0 was a big disappointment as I couldn't create any bookmarks on Windows XP nor import existing Firefox bookmarks.



    Was the issue tied to the French language localization, or the Firefox bookmarks? I wouldn't know, but the whole experience was a disaster.



    Crash reports were dutifully sent to Apple, so that Apple is aware of the problem. Hopefully, it will soon be corrected. But, don't count on me to test alpha or beta software from Apple. Once burnt, twice shy.



  • Reply 6 of 18
    holy crap the startup time is amazing
  • Reply 7 of 18
    smqtsmqt Posts: 28member
    Quote:
    Originally Posted by SpamSandwich View Post


    Thus, the term "beta".



    Thus, why I post on this forum to maybe get some feedback if this is exceptional. rolleyes
  • Reply 8 of 18
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by SMQT View Post


    Safari 3.0.2 freezes on my PPC when downloading anything



    Have you tried reinstalling Safari?
  • Reply 9 of 18
    Wow, two updates in less than two weeks. Looks like Apple is serious about this Safari browser.
  • Reply 10 of 18
    - ?(r)?z -- ?(r)?z - Posts: 127member
    Does Safari 2 need to be deleted for Safari 3 to work? or can Safari 2 simply be temporarily placed in a folder inside the Applications folder; then if Safari 3 is not what I want to use, I can simply delete Safari 3, and drag Safari 2 back into the Applications folder?
  • Reply 11 of 18
    smqtsmqt Posts: 28member
    Quote:
    Originally Posted by solipsism View Post


    Have you tried reinstalling Safari?



    Yeah, I've uninstalled, reinstalled it. Thanks for asking

    Reinstalled the security update... and so on.

    I've reverted to 2, but am missing the search etc.
  • Reply 12 of 18
    sandausandau Posts: 1,230member
    this update killed Google Reader for me. It renders everything in a little box now, completely fluxored.



    UPDATE: Setting to user defaults and uninstalling Safari Enhancer fixed this issue. (this is the tool that enables the Debug menu).



    yeah!
  • Reply 13 of 18
    smqtsmqt Posts: 28member
    Quote:
    Originally Posted by - Ø®£Z - View Post


    Does Safari 2 need to be deleted for Safari 3 to work? or can Safari 2 simply be temporarily placed in a folder inside the Applications folder; then if Safari 3 is not what I want to use, I can simply delete Safari 3, and drag Safari 2 back into the Applications folder?



    There's an installer and an uninstaller to restore Safari 2.0 if you don't want 3beta anymore.
  • Reply 14 of 18
    Not that I think anyone was holding their breath for this one, but just as a note, they've added Corean language support with update 3.0.2
  • Reply 15 of 18
    jemsterjemster Posts: 37member
    Has anyone who was having Java problems on the Mac 3.0 beta seen any improvement on this update?



    I use an online stock trading site that uses Java (I chose this site because it's identical on my work PC to my home iMac) but had to pull the beta version almost as soon as I'd installed it as the live prices disappeared under 3.0.



    I went back to 2, everything went back to normal, tried going to 3 again and the prices disappeared. There's a few people on the apple discussion forums with similar java issues but no fixes (that I've found, yet...).



    Oh the applet requires 1.4 Java and yes, I have the order setup right in the Java utility. Anyone seen the same problems?
  • Reply 16 of 18
    pbpb Posts: 4,255member
    Hmm...



    6-Month Vista Vulnerabiltiy Report



    Now this is from a MS guy and things are relative, but many will read this report without caring about the whole picture.
  • Reply 17 of 18
    louzerlouzer Posts: 1,054member
    Quote:
    Originally Posted by PB View Post


    Hmm...



    6-Month Vista Vulnerabiltiy Report



    Now this is from a MS guy and things are relative, but many will read this report without caring about the whole picture.



    Right, but ignoring the OS X side of things ("There's no viruses, so its not really a hole!"), its generally correct. People mock MS, but Vista has been pretty solid in terms of vulnerabilities.
  • Reply 18 of 18
    louzerlouzer Posts: 1,054member
    Quote:
    Originally Posted by JeffDM View Post


    It's an often-misused term. Some projects, such as Google's projects, are "Beta" and left at that designation despite being production quality for a long time. Apple's Safari was too ridiculously problematic to deserve the designation. Mozilla's developer nightlies are about as stable or more stable than Safari was.



    Google keeps its Beta tag so they don't have to actually support it. Most companies, like Apple, use the term "beta" when they're posting a public version of their pre-release software. Most also don't care about the technical use of the term (you know, the one that causes people to cry "Waaa, its not feature complete, so its no technically a beta!"), because most general users know that 'beta' means 'unfinished', while have never heard of terms like 'alpha' or 'developmental'.



    But, above all else, there's nothing about the term 'beta' that implies 'stable'. Technically beta is just supposed to mean 'feature complete', not 'complete and stable and almost ready to go'.



    BTW, most people would argue that apple's 'x.y.0' OS releases actually fit the term beta. But that holds for most software vendors.
Sign In or Register to comment.