Apple plays catch-up, adds anti-fraud safeguard to Safari

Also patches 11 bugs in Windows browser, 4 in the Mac version

According to the accompanying advisory, a majority of the bugs -- eight out of the 11 in Windows, two of the four in Mac OS X -- were pegged with the phrase "arbitrary code execution," Apple's way of saying that the vulnerability is critical and could be exploited by hackers to hijack a PC or Mac.

Several of the Windows-specific vulnerabilities were due to poor handling of various image formats -- including those with .tif and .jpg file extensions -- by the browser, while others could be used to steal personal information or crash the computer.

Three of the bugs, all pertinent only to the Mac edition, were WebKit vulnerabilities that had been fixed previously by the open-source project's developers. Safari, like Google Inc.'s Chrome, uses the WebKit engine.

Of the three WebKit-related flaws, one was attributed to Billy Rios and Nitesh Dhanjani, researchers who work for Microsoft and Ernst & Young, respectively. Of the two, Dhanjani is probably better known; earlier this year, he disclosed the so-called "carpet bomb" threat to browsers in general, Safari in particular.

After first denying that the threat was a security issue, Apple did a turn-about and patched its browser in mid-June. Mozilla and Google soon followed suit.

Safari 3.2 can be downloaded from Apple's site, while existing installations can be updated using the browser's built-in update feature, or on Windows, by running the separate Apple Software Update utility.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags safari

More about AMPAppleeBayGoogleMicrosoftMozillaPayPalSocketSymbol

Show Comments