If at first you don't succeed; call it version 1.0
Thursday, 14 June 2007

Few hours ago, Apple released a new minor version (v3.0.1 Beta) of Safari for Windows.

From Apple's advisory:


CVE-ID: CVE-2007-3185 Available for: Windows XP or Vista Impact: Visiting a malicious website may lead to an unexpected application termination or arbitrary code execution Description: An out-of-bounds memory read issue in Safari 3 Public Beta for Windows may lead to an unexpected application termination or arbitrary code execution when visiting a malicious website. This issue does not affect Mac OS X systems.


I've tested the new version by running Hamachi again. Apparently, this version fixes the vulnerability.

This patch also fixes the command injection vulnerability that was found by Thor.

Apple decided not to credit any of the security researchers in their advisory, and I don't think this is a smart move.

 


Thursday, 14 June 2007 16:56:04 UTC | Comments [1] | Security#
Thursday, 14 June 2007 19:25:43 UTC
I've found some more bugs in the HTTP Auth dialogue: http://www.bitsploit.de/archives/435-HTTP-Auth-Bugs-in-Apples-Safari-3-Beta-Windows.html

(Currently not working due to a problem after a changed webroot. I hope, it'll be only the next days.)
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.