« 25minütige Führung durchs iPhone | Start | iPhone öffnet .doc und .xls »

22.06.2007

Safari 3.0.2 (beta) oder Security Update 2007-006

Wer die public beta von Safari 3 installiert hat, findet nun Safari 3.0.2 in der Softwareaktualisierung (oder über die Safari-Downloadseite). Die Aktualisierung schließt mehrere Sicherheitslücken und verbessert die Stabilität. Unter Mac OS X wurde WebKit überarbeitet, um die mit der Beta eingeschleusten Probleme im Zusammenspiel mit Mail, iChat und Dashboard zu beheben. Unter Windows sollte Safari nun auch auf nicht-englischsprachigen Systemen zu gebrauchen sein.
Wer noch Safari 2 einsetzt, dem wird das Security Update 2007-006 (Intel, PPC, 10.3.9) angeboten, welches eine Sicherheitslücke in WebKit und WebCore beseitigt. Nur eines der zwei Updates ist vonnöten. Die Details zu den geschlossenen Sicherheitslücken folgen nach dem Klick.

Safari 3.0.2:
Safari
CVE-ID: CVE-2007-2398
Available for: Windows XP or Vista
Impact: A maliciously crafted website may control the contents of
the address bar
Description: In Safari Beta 3.0.1 for Windows, a timing issue allows
a web page to change the contents of the address bar without loading
the contents of the corresponding page. This could be used to spoof
the contents of a legitimate site, allowing user credentials or other
information to be gathered. This update addresses the issue by
restoring the address bar contents if a request for a new web page is
terminated. This issue does not affect Mac OS X systems.

Safari
CVE-ID: CVE-2007-2400
Available for: Mac OS X v10.4.9 or later, Windows XP or Vista
Impact: Visiting a malicious website may allow cross-site scripting
Description: Safari's security model prevents JavaScript in remote
web pages from modifying pages outside of their domain. A race
condition in page updating combined with HTTP redirection may allow
JavaScript from one page to modify a redirected page. This could
allow cookies and pages to be read or arbitrarily modified. This
update addresses the issue by correcting access control to window
properties. Credit to Lawrence Lai, Stan Switzer, Ed Rowe of Adobe
Systems, Inc for reporting this issue.

WebCore
CVE-ID: CVE-2007-2401
Available for: Mac OS X v10.4.9 or later, Windows XP or Vista
Impact: Visiting a malicious website may allow cross-site requests
Description: An HTTP injection issue exists in XMLHttpRequest when
serializing headers into an HTTP request. By enticing a user to
visit a maliciously crafted web page, an attacker could conduct
cross-site scripting attacks. This update addresses the issue by
performing additional validation of header parameters. Credit to
Richard Moore of Westpoint Ltd for reporting this issue.

WebKit
CVE-ID: CVE-2007-2399
Available for: Mac OS X v10.4.9 or later, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An invalid type conversion when rendering frame sets
could lead to memory corruption. Visiting a maliciously crafted web
page may lead to an unexpected application termination or arbitrary
code execution. Credit to Rhys Kidd of Westnet for reporting this
issue.

Security Update 2007-006:
WebCore
CVE-ID: CVE-2007-2401
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later
Impact: Visiting a malicious website may allow cross-site requests
Description: An HTTP injection issue exists in XMLHttpRequest when
serializing headers into an HTTP request. By enticing a user to
visit a maliciously crafted web page, an attacker could conduct
cross-site scripting attacks. This update addresses the issue by
performing additional validation of header parameters. Credit to
Richard Moore of Westpoint Ltd. for reporting this issue.

WebKit
CVE-ID: CVE-2007-2399
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An invalid type conversion when rendering frame sets
could lead to memory corruption. Visiting a maliciously crafted web
page may lead to an unexpected application termination or arbitrary
code execution. Credit to Rhys Kidd of Westnet for reporting this
issue.

Posted by Leo at 23:35 | Permalink

TrackBack

TrackBack-Adresse für diesen Eintrag:
https://www.typepad.com/services/trackback/6a00d83451c7b569e200e008ca8adb8834

Listed below are links to weblogs that reference Safari 3.0.2 (beta) oder Security Update 2007-006: