This article originally appeared in TidBITS on 2008-04-16 at 6:10 p.m.
The permanent URL for this article is:
Include images: Off

Safari 3.1.1 Addresses Security Issues

by Jeff Carlson

Apple has released Safari 3.1.1 [1] for Mac and Windows, a security update that fixes a vulnerability exploited in the recent Pwn2Own hacking contest at the CanSecWest conference (see "Apple Becomes First Victim in Hacking Contest [2]," 2008-03-28). According to the security release notes [3] for Safari 3.1.1, the update tackles the JavaScript weakness in WebKit exposed at the conference by "performing additional validation of JavaScript regular expressions" to prevent a heap buffer overflow.

A flaw where a colon character in a maliciously crafted URL could lead to a cross-site scripting attack has also been repaired. Two other fixes are specific to the Windows version of Safari: a timing issue that opened up control of the address bar and a memory corruption issue.

Safari 3.1.1 is available via Software Update or as a 39 MB download. It requires Mac OS X 10.4.11 or Mac OS X 10.5.2, or Windows XP or Vista on the PC.