With its sixth security update for 2007, Apple patches two Safari 3.0 beta vulnerabilities

Only days after Apple released Mac OS X 10.4.10, it has also released Security Update 2007-006. This update affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 and Mac OS X Server v10.4.9. Both vulnerabilities involve surfing the Internet. One could allow a cross site scripting attack, the other could cause a denial of service (crash). The update is available from within Mac OS X via the Software Update pane in System Preferences, or from Apple's Software Download only for systems that have installed Safari 3.0 beta. This update will not appear for Mac OS X users who have not installed Safari 3.0 beta. Users of Microsoft Windows XP and Windows Vista have additional patches available here.

Patch for WebCore
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later and addresses the vulnerability in CVE-2007-2401. When serializing headers into an HTTP request, an HTTP injection is possible within XMLHttpRequest. Successful execution could result in cross-site requests to malicious sites.

Patch for WebKit
This patch affects users of Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later and addresses the vulnerability in CVE-2007-2399. A memory corruption issue exists with invalid type conversion when rendering frame sets. Visiting a maliciously crafted Web site could allow a denial-of-service (crash) or arbitrary code execution.