Headline Feeds
Apple (Nasdaq: AAPL) 
issued four security updates Thursday for its Web browser Safari, one of which patches the highly publicized -- yet secret -- hole that let security expert Charlie Miller burrow his way into a MacBook Air at the CanSecWest security conference last month. The vulnerability was immediately disclosed to Apple from the conference, but today is the first time it's been widely identified.
The software updates come in an upgrade to Safari 3.1.1. Two are only for the Windows version of Safari, while two others affect vulnerabilities in WebKit, which is a framework that provides the foundation for Safari.
Must-Have Update
"This is a must-install update for all Safari users on any platform," Rich Mogull, an independent security consultant, told MacNewsWorld.
"The vulnerability it patches is easily exploitable by a remote bad guy by just having you visit a malicious Web page, and could give them control of your computer," he added.
Some early adopter installers have been noting some odd behavior in Safari after the security updates, but most issues seem to be easily fixed by resetting Safari by using the "Reset Safari ..." command under the Safari drop-down menu.
The Details
Apple's Software Update application, which notifies users of available updates, is characteristically vague on details, but Apple published a support document that clarifies the Common Vulnerabilities and Exposures (CVEs) and fixes. Here are the details:
In CVE-2007-2398, for Windows XP or Vista, a maliciously crafted Web site may control the contents of the address bar. Apple explains, "A timing issue in Safari 3.1 allows a Web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. This issue was addressed in Safari Beta 3.0.2, but reintroduced in Safari 3.1. This update addresses the issue by restoring the address bar contents if a request for a new Web page is terminated. This issue does not affect Mac OS X systems."
In CVE-2008-1024, for Windows XP or Vista, visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution. Apple explains, "A memory corruption issue exists in Safari's file downloading. By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of file downloads. This issue does not affect Mac OS X systems."
In CVE-2008-1025, for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista, visiting a malicious Web site may result in cross-site scripting. According to Apple, "An issue exists in WebKi's handling of URLs (universal resource locators) containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack. This update addresses the issue through improved handling of URLs. Credit to Robert Swiecki of Google (Nasdaq: GOOG) Information Security Team and David Bloom for reporting this issue."
In CVE-2008-1026, for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista, viewing a maliciously crafted Web page may lead to an unexpected application termination or arbitrary code execution. "A heap buffer overflow exists in WebKit's handling of JavaScript regular expressions," Apple said. "The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller for reporting these issues."
Talkback: 
