Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: safari update - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
safari update

Apple has released a new version of the public BETA safari browser (3.0.1) to address the three vulnerabilities announced earlier this week.
It is available here: http://www.apple.com/safari/download/

From http://lists.apple.com/archives/Security-announce/2007/Jun/msg00000.html
"CVE-ID:  CVE-2007-3186
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may lead to arbitrary code
execution
Description:  A command injection vulnerability exists in the Windows
version of Safari 3 Public Beta.  By enticing a user to visit a
maliciously crafted web page, an attacker can trigger the issue which
may lead to arbitrary code execution.  This update addresses the
issue by performing additional processing and validation of URLs.
This does not pose a security issue on Mac OS X systems, but could
lead to an unexpected termination of the Safari browser.

CVE-ID:  CVE-2007-3185
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may lead to an unexpected
application termination or arbitrary code execution
Description:  An out-of-bounds memory read issue in Safari 3 Public
Beta for Windows may lead to an unexpected application termination or
arbitrary code execution when visiting a malicious website.  This
issue does not affect Mac OS X systems.

CVE-ID:  CVE-2007-2391
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may allow cross-site scripting
Description:  A race condition in Safari 3 Public Beta for Windows
may allow cross site scripting.  Visiting a maliciously crafted web
page may allow access to JavaScript objects or the execution of
arbitrary JavaScript in the context of another web page.  This issue
does not affect Mac OS X systems."

donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!