X

Apple updates Safari with version 3.0.2 for Windows (beta)

This security update for Windows users piggybacks patches for Apple users.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
See full bio
Robert Vamosi
2 min read

Roughly one week after releasing Safari 3.0.1 for Windows (beta), Apple today released Safari 3.0.2 for Windows (beta). The Safari 3.0 beta patches issued today are for Apple Mac OS X as well as Windows XP and Windows Vista users, and basically piggybacks Apple Security Update 2007-006 intended only for Mac OS users who have installed Safari 3.0 beta.

Patch for Safari
This patch affects users of Windows XP or Vista and does not affect Mac OS X, and addresses the vulnerability in CVE-2007-2398. In Safari Beta 3.0.1 for Windows, a timing issue allows a Web page to change the contents of the address bar without loading the contents of the corresponding page. Credit to Robert Swiecki is missing from this update. Successful execution could allow a maliciously crafted Web site to control the contents of the address bar.

Patch for Safari
This patch affects users of Mac OS X v10.4.9 or later, Windows XP or Vista and addresses the vulnerability in CVE-2007-2400. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. Successful execution could allow cross-site scripting.

Patch for WebCore
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later, and Windows XP and Windows Vista, and addresses the vulnerability in CVE-2007-2401. When serializing headers into an HTTP request, an HTTP injection is possible within XMLHttpRequest. Successful execution could result in cross-site requests to malicious sites.

Patch for WebKit
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later and addresses the vulnerability in CVE-2007-2399. A memory corruption issue exists with invalid type conversion when rendering frame sets. Visiting a maliciously crafted Web site could allow a denial-of-service (crash) or arbitrary code execution.

The latest version of Safari for Windows beta can be downloaded from Apple here.