James Delahunty
17 Apr 2008 0:21
Apple Inc. has released version 3.1.1 of the Safari web browser to address several serious security problems. One of the vulnerabilities that has been fixed was widely publicized after being used to compromise a MacBook Air during a security conference. The update is available for both Mac and PC at about 39MB. It is highly recommended for all Safari users to ensure the security of their systems.
In total, four security bugs have been fixed by Apple. The aforementioned publicized security bug used to compromise a MacBook Air laptop at last month's CanSecWest security conference won Charlie Miller a $10,000 prize. The bugs also included a a heap buffer overflow present the browser's WebKit framework for handling JavaScript.
A second issue in the WebKit framework was also addressed. It involved WebKit's handling of URLs that contain a colon character in the host name, which could have been exploited by a malicious user to create a crafted URL to lead a cross-site scripting attack. Two other issues allowed malicious users to manipulate the contents of the address bar, or to execute arbitrary code.