Apple plugs holes in WebCore, WebKit, and Safari 3.0 beta
Two new patches released by Apple Inc. on Friday afternoon address security issues with Mac OS X web frameworks and the company's recently-released Safari 3.0 beta for both Mac and Windows PCs.
Security Update 2007-006
The first of the two updates, Security Update 2007-006, corrects a HTTP injection issue that exists in WebCore's XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could conduct cross-site scripting attacks, Apple said. The security update addresses the issue by performing additional validation of header parameters.
The patch also corrects an invalid type conversion that occurs when WebKit renders frame sets, which could lead to memory corruption. If exploited by a maliciously crafted web page, the vulnerability could lead to an unexpected application termination or arbitrary code execution, Apple said.
Security Update 2007-006 is available as a 2.7MB download for PowerPC Macs running Mac OS X 10.4.9 or later, a 4.5MB download for Intel Macs running Mac OS X 10.4.9, or a 2.2MB download for PowerPC Macs running Mac OS X 10.3.9.
Safari 3 Beta Update 3.0.2
Also on Friday, Apple issued Safari 3 Beta Update 3.0.2 for both Macs and Windows PCs. The updates includes both of the aforementioned fixes and adds two Safari-specific security enhancements.
The first, Apple said, applies to a timing issue in Safari Beta 3.0.1 for Windows that allows a web page to change the contents of the address bar without loading
the contents of the corresponding page.
The glitch, which does not apply to Mac OS X systems, could theoretically be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. Safari 3.0.2 addresses the issue by restoring the address bar contents if a request for a new web page is terminated.
The other fix, which applies to both the Mac and Windows version of Safari 3.0.1, targets a race condition in page updating that when combined with HTTP redirection may allow JavaScript from one page to modify a redirected page.
"This could allow cookies and pages to be read or arbitrarily modified," Apple explained.
Safari 3.0.2, which was released via Apple's Software Update mechanism, addresses the issue by correcting access control to window properties.
Security Update 2007-006
The first of the two updates, Security Update 2007-006, corrects a HTTP injection issue that exists in WebCore's XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could conduct cross-site scripting attacks, Apple said. The security update addresses the issue by performing additional validation of header parameters.
The patch also corrects an invalid type conversion that occurs when WebKit renders frame sets, which could lead to memory corruption. If exploited by a maliciously crafted web page, the vulnerability could lead to an unexpected application termination or arbitrary code execution, Apple said.
Security Update 2007-006 is available as a 2.7MB download for PowerPC Macs running Mac OS X 10.4.9 or later, a 4.5MB download for Intel Macs running Mac OS X 10.4.9, or a 2.2MB download for PowerPC Macs running Mac OS X 10.3.9.
Safari 3 Beta Update 3.0.2
Also on Friday, Apple issued Safari 3 Beta Update 3.0.2 for both Macs and Windows PCs. The updates includes both of the aforementioned fixes and adds two Safari-specific security enhancements.
The first, Apple said, applies to a timing issue in Safari Beta 3.0.1 for Windows that allows a web page to change the contents of the address bar without loading
the contents of the corresponding page.
The glitch, which does not apply to Mac OS X systems, could theoretically be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. Safari 3.0.2 addresses the issue by restoring the address bar contents if a request for a new web page is terminated.
The other fix, which applies to both the Mac and Windows version of Safari 3.0.1, targets a race condition in page updating that when combined with HTTP redirection may allow JavaScript from one page to modify a redirected page.
"This could allow cookies and pages to be read or arbitrarily modified," Apple explained.
Safari 3.0.2, which was released via Apple's Software Update mechanism, addresses the issue by correcting access control to window properties.
Comments
Safari 3.0.2 freezes on my PPC when downloading anything
Thus, the term "beta".
Thus, the term "beta".
It's an often-misused term. Some projects, such as Google's projects, are "Beta" and left at that designation despite being production quality for a long time. Apple's Safari was too ridiculously problematic to deserve the designation. Mozilla's developer nightlies are about as stable or more stable than Safari was.
Was the issue tied to the French language localization, or the Firefox bookmarks? I wouldn't know, but the whole experience was a disaster.
Crash reports were dutifully sent to Apple, so that Apple is aware of the problem. Hopefully, it will soon be corrected. But, don't count on me to test alpha or beta software from Apple. Once burnt, twice shy.
Thus, the term "beta".
Thus, why I post on this forum to maybe get some feedback if this is exceptional. rolleyes
Safari 3.0.2 freezes on my PPC when downloading anything
Have you tried reinstalling Safari?
Have you tried reinstalling Safari?
Yeah, I've uninstalled, reinstalled it. Thanks for asking
Reinstalled the security update... and so on.
I've reverted to 2, but am missing the search etc.
UPDATE: Setting to user defaults and uninstalling Safari Enhancer fixed this issue. (this is the tool that enables the Debug menu).
yeah!
Does Safari 2 need to be deleted for Safari 3 to work? or can Safari 2 simply be temporarily placed in a folder inside the Applications folder; then if Safari 3 is not what I want to use, I can simply delete Safari 3, and drag Safari 2 back into the Applications folder?
There's an installer and an uninstaller to restore Safari 2.0 if you don't want 3beta anymore.
I use an online stock trading site that uses Java (I chose this site because it's identical on my work PC to my home iMac) but had to pull the beta version almost as soon as I'd installed it as the live prices disappeared under 3.0.
I went back to 2, everything went back to normal, tried going to 3 again and the prices disappeared. There's a few people on the apple discussion forums with similar java issues but no fixes (that I've found, yet...).
Oh the applet requires 1.4 Java and yes, I have the order setup right in the Java utility. Anyone seen the same problems?
6-Month Vista Vulnerabiltiy Report
Now this is from a MS guy and things are relative, but many will read this report without caring about the whole picture.
Hmm...
6-Month Vista Vulnerabiltiy Report
Now this is from a MS guy and things are relative, but many will read this report without caring about the whole picture.
Right, but ignoring the OS X side of things ("There's no viruses, so its not really a hole!"), its generally correct. People mock MS, but Vista has been pretty solid in terms of vulnerabilities.
It's an often-misused term. Some projects, such as Google's projects, are "Beta" and left at that designation despite being production quality for a long time. Apple's Safari was too ridiculously problematic to deserve the designation. Mozilla's developer nightlies are about as stable or more stable than Safari was.
Google keeps its Beta tag so they don't have to actually support it. Most companies, like Apple, use the term "beta" when they're posting a public version of their pre-release software. Most also don't care about the technical use of the term (you know, the one that causes people to cry "Waaa, its not feature complete, so its no technically a beta!"), because most general users know that 'beta' means 'unfinished', while have never heard of terms like 'alpha' or 'developmental'.
But, above all else, there's nothing about the term 'beta' that implies 'stable'. Technically beta is just supposed to mean 'feature complete', not 'complete and stable and almost ready to go'.
BTW, most people would argue that apple's 'x.y.0' OS releases actually fit the term beta. But that holds for most software vendors.