June 19, 2008 2:40 PM PDT

Apple updates Safari for Windows with four security fixes

Posted by Robert Vamosi

Apple on Thursday released a new version of Safari for Windows that includes a security fix for a high-profile carpet-bombing desktop attack vulnerability previously dismissed by the Cupertino vendor. The Safari update is only for Windows users, not Mac OSX versions. Version 3.1.2 of Safari for Windows can be downloaded and installed from Apple Downloads, or you can download Safari 3.1 here.

BMP or GIF image memory error
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-1573, an out-of-bounds memory read vulnerability. The error may occur in the handling of BMP and GIF images, which may lead to the disclosure of memory contents. Apple credits Gynvael Coldwind of Hispasec for reporting the vulnerability.

Carpet bombing attack
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2540, a vulnerability in how Windows desktop handles executable files. Apple explains: "Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user's Downloads folder on Windows Vista, and to the user's Documents folder on Windows XP." Apple credits Aviv Raff for reporting the vulnerability.

Internet Explorer 7
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2306 which is an Internet Explorer 7 vulnerability. Apple explains: "If a Web site is in an Internet Explorer 7 zone with the 'Launching applications and unsafe files' setting set to 'Enable,' or if a Web site is in the Internet Explorer 6 'Local intranet' or 'Trusted sites' zone, Safari will automatically launch executable files that are downloaded from the site. This update addresses the issue by not automatically launching downloaded executable files, and by prompting the user before downloading a file if the 'always prompt' setting is enabled." Apple credits Will Dormann of CERT/CC for reporting the vulnerability.

WebKit Javascript array
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2307, which is a memory corruption vulnerability. An error exists in WebKit's handling of JavaScript arrays, so visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Apple credits James Urquhart for reporting the vulnerability.

Topics:

Browsers and extensions,

Security

Tags:

security,

Apple,

Safari for Windows,

carpet bombing,

Aviv Raff

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
Column: Raising Cain at Black Hat
Black Hat 2008: Notes from the field
Column: Finally, ID fraud protection that works
Column: Will you be ditching your antivirus app anytime soon?
A real simple answer to password protection
Add a Comment (Log in or register) 2 comments
by Dalkorian June 20, 2008 11:04 AM PDT
"The update addresses CVE-2008-2306 which is an Internet Explorer 7 vulnerability." Just wow, now Apple is fixing M$ bugs for them! Neat! It's far better than waiting years for a patch from M$ that corrupts other programs and/or files on your system. ;-)
Reply to this comment View reply
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
Same great protection. Reengineered for speed.
Norton Internet Security™2008

Click Here!
Norton still delivers award-winning protection and now uses 83% less memory and scans 48% faster than the competitor average. Get a FREE trial today!

Click Here!
Norton Beats the Competition

See how Norton Internet Security™2008 uses less memory, while scanning and booting faster than the competitor average.

Norton Protection Blog

Read the latest from our security experts as they help protect people from evolving online threats.

Protect Your Bluetooth Connection

Don't let fraudsters sink their teeth into your Bluetooth connection.

Vishing - What you need to know

Meet the latest ID theft scam: Voice Phishing.

Take Norton for a Test Drive Today!

Act now to get your FREE trial of Norton Internet Security 2008.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

Featured blogs

advertisement

Inside CNET News

Scroll Left Scroll Right

  • News - Business Tech

    Chrome's JavaScript challenge to Silverlight

    The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Outside the Lines

    EIC Squared: Chrome, iPods, and a Dell-Salesforce union

    On this week's EIC Squared podcast CNET's Dan Farber and ZDNet's Larry Dignan discuss Google's latest rocket launch--the Chrome browser--as well as Apple's iPod event next week and a Dell-Salesforce.com union.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    At 10 years old, whither Google?

    Daniel Sieberg of CBS News looks at how the company grew exponentially from start-up to superstar and part of our culture, but what's ahead?

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Webware

    Mozilla releases second Firefox 3.1 alpha

    Added features include support for a new video tag element introduced with the HTML 5 standard, along with some speed enhancements.

  • Green Tech

    Duke Energy to invest in mini solar power plants

    Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET