Apple updates Safari with version 3.0.2 for Windows (beta)

Roughly one week after releasing Safari 3.0.1 for Windows (beta), Apple today released Safari 3.0.2 for Windows (beta). The Safari 3.0 beta patches issued today are for Apple Mac OS X as well as Windows XP and Windows Vista users, and basically piggybacks Apple Security Update 2007-006 intended only for Mac OS users who have installed Safari 3.0 beta.

Patch for Safari
This patch affects users of Windows XP or Vista and does not affect Mac OS X, and addresses the vulnerability in CVE-2007-2398. In Safari Beta 3.0.1 for Windows, a timing issue allows a Web page to change the contents of the address bar without loading the contents of the corresponding page. Credit to Robert Swiecki is missing from this update. Successful execution could allow a maliciously crafted Web site to control the contents of the address bar.

Patch for Safari
This patch affects users of Mac OS X v10.4.9 or later, Windows XP or Vista and addresses the vulnerability in CVE-2007-2400. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. Successful execution could allow cross-site scripting.

Patch for WebCore
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later, and Windows XP and Windows Vista, and addresses the vulnerability in CVE-2007-2401. When serializing headers into an HTTP request, an HTTP injection is possible within XMLHttpRequest. Successful execution could result in cross-site requests to malicious sites.

Patch for WebKit
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later and addresses the vulnerability in CVE-2007-2399. A memory corruption issue exists with invalid type conversion when rendering frame sets. Visiting a maliciously crafted Web site could allow a denial-of-service (crash) or arbitrary code execution.

The latest version of Safari for Windows beta can be downloaded from Apple here.

[TenBees]

vulnerabilities

and I thought Apple's software was immune from security vulnerabilities.

What a relief to know they are fallible.

[firestarter]

Wow apple has holes

this thing has not been out that long and its been patch twice not even ie 7 beta was patch 2 in that short of a time and yes i know its a beta but this is just sad. not really and why does apple think that we windows user nned a 4th option when it comes to browser we are happy with our 3 choices already and unless you are doing something total unique then dont even bother waste our time.

[plinck]

Re: Wow apple has holes

before mac started porting safari to windows i had to walk over to our mac test machine in order to test my web application on safari. now i don't have to. i can sit right at my pc and use a virtual machine running xp with safari installed. so i'm happy that they did this port. i will say that safari 2.0 and 3.0 aren't without their bugs and are just as non-standard in browser compliance as early versions of ie! BELIEVE ME I KNOW THIS FIRST HAND! safari is designed to be "the fastest" and as a result their browser doesn't follow all the rfc's that are written by the www folks! for instance, they have a faster back button that *always* pulls your page from memory cache instead of checking with your web server. this happens even when the web server explicitly tells the browser to not cache the page. it's a nice feature i suppose unless your using secure website (like your bank) and upon logging out you can still use the back button to see all the private information.. as a developer you have to go through huge hoops to get safari to not cache your secure pages.. every other browser follows these ruls.. but people continue to believe that macs are better in design and much more secure! at least that's what the mac users are preaching.