Apple releases Safari 3.1.1 to address four security issues
Apple on Wednesday afternoon released version 3.1.1 of its Safari web browser to address a handful of security issues, including one widely publicized vulnerability that allowed a MacBook Air to be compromised during a recent security conference.
The 39MB release, available for both Macs and Windows PCs, is recommended for all Safari users and includes improvements to stability, compatibility and security.
Specifically, Apple said the update patches four security issues, including a heap buffer overflow that existed within the browser's WebKit framework for handling JavaScript regular expressions.
The issue was reported by Charlie Miller, who discovered and exploited the vulnerability on a MacBook Air to win a $10,000 prize at last month's CanSecWest security conference.
The Safari 3.1.1 update also addressed a second issue within WebKit's handling of URLs containing a colon character in the host name. By exploiting that vulnerability, a hacker could use a maliciously crafted URL to lead a cross-site scripting attack, Apple said.
Two other issues with the Safari application itself were also addressed, though they concerned only the PC version of the browser. One of those issues made it possible for a maliciously crafted website to control the contents of a user's address bar, while the other made it possible for maliciously crafted website to cause arbitrary code execution or the Safari application to unexpectedly quit.
The 39MB release, available for both Macs and Windows PCs, is recommended for all Safari users and includes improvements to stability, compatibility and security.
Specifically, Apple said the update patches four security issues, including a heap buffer overflow that existed within the browser's WebKit framework for handling JavaScript regular expressions.
The issue was reported by Charlie Miller, who discovered and exploited the vulnerability on a MacBook Air to win a $10,000 prize at last month's CanSecWest security conference.
The Safari 3.1.1 update also addressed a second issue within WebKit's handling of URLs containing a colon character in the host name. By exploiting that vulnerability, a hacker could use a maliciously crafted URL to lead a cross-site scripting attack, Apple said.
Two other issues with the Safari application itself were also addressed, though they concerned only the PC version of the browser. One of those issues made it possible for a maliciously crafted website to control the contents of a user's address bar, while the other made it possible for maliciously crafted website to cause arbitrary code execution or the Safari application to unexpectedly quit.
Comments
Do they patch this kind of stuff in webkit in parallel?
I'm not liking this new safari 3.1.1. It's been doing weird things and it seems to hang.
I'm not liking this new safari 3.1.1. It's been doing weird things and it seems to hang.
I noticed that too until I reset Safari. Now much better.
What's going on in Safari that requires a reboot to update?
My concerns as well. I'm not a fan of teh way Leopard goes into another mode to install system updates, requires more reboots for regular apps and that the updates seem overly large in size.
My concerns as well. I'm not a fan of teh way Leopard goes into another mode to install system updates, requires more reboots for regular apps and that the updates seem overly large in size.
Typically, if they are updating shared libraries that other apps using then they require a reboot.
I wasn't a fan of the firmware update a week or so ago. It was simple enough to do, but why did the user have to be involved. Firmware updates should be a little more automatic than having to depress a power button till a system beep goes off. Fun stuff!
I wasn't a fan of the firmware update a week or so ago. It was simple enough to do, but why did the user have to be involved. Firmware updates should be a little more automatic than having to depress a power button till a system beep goes off. Fun stuff!
The first Mac Pro update required the user to hold the power button, but the second didn't.
What's going on in Safari that requires a reboot to update? If it's that tightly integrated with the core of the OS, didn't that contribute to the security liability that took down the Air in that contest?
WebKit and other System Frameworks are getting updated, new linking and more.
WebKit is system-wide with the HTML Help system.
I'm not liking this new safari 3.1.1. It's been doing weird things and it seems to hang.
I'm not sure which web site you are having issues with but I did notice my Yahoo Mail account having problems that started just before the Safari update. So in that case at least it is not an update issue.
So far though it seems to work fine for me.
I noticed that too until I reset Safari. Now much better.
I noticed it also, a reset seems to fix it
Cheers
Jan
Great update
Youtube no longer works. Downloaded the newest flash player, and still doesn't work.
Great update
YouTube works fine for me.
Initially it seemed to have problems with any site I had been to recently but I only needed to clear cache to fix this, didn't need reset. Now all seems fine.
Note that at this version and 3.1 too reseting Safari opens a window asking the user what to reset.
So now reset is similar to Firefox's clear private data dialog box.
I use it regularly to clean Safari.
Note that at this version and 3.1 too reseting Safari opens a window asking the user what to reset.
So now reset is similar to Firefox's clear private data dialog box.
I did not know this. Thanks.
My concerns as well. I'm not a fan of teh way Leopard goes into another mode to install system updates, requires more reboots for regular apps and that the updates seem overly large in size.
I like this new way. It seems like there will be fewer install problems because it's off a fresh boot, without any applications/processes running which may interfere with the update.
I like this new way. It seems like there will be fewer install problems because it's off a fresh boot, without any applications/processes running which may interfere with the update.
YOu're probably correct, but one thing I always touted OS X over Windows was taht simple updates didn't require restarts.
I can;t get onto secure websites: firefox is fine with them but my banking, my email, university pages, my .Mac - which is being iffy today - are all being bounced in safari because it "couldn?t establish a secure connection to the server ?www.amazon.co.uk?." - as an example.
Any suggestions?