Languages

Archived - About the security content of Safari 3 Beta Update 3.0.3

This article has been archived and is no longer updated by Apple.
This document describes the security content of Safari 3 Beta Update 3.0.3, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."
 

Safari 3 Beta Update 3.0.3

  • Safari

    CVE-ID: CVE-2007-3743

    Available for: Windows XP or Vista

    Impact: Adding bookmarks may lead to an unexpected application termination or arbitrary code execution

    Description: A stack buffer overflow vulnerability exists in Safari's bookmark handling. By enticing a user to add a bookmark with an overlong title, an attacker may trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing proper bounds checking. This issue does not affect Mac OS X systems.

  • WebKit

    CVE-ID: CVE-2007-2408

    Available for: Mac OS X v10.4.9 or later, Windows XP or Vista

    Impact: Visiting a malicious website may allow Java applets to load and run even when Java is disabled

    Description: Safari provides an "Enable Java" preference, which when unchecked should prevent the loading of Java applets. By default, Java applets are allowed to be loaded. Navigating to a maliciously crafted web page may allow a Java applet to be loaded without checking the preference. This update addresses the issue through a stricter check of the "Enable Java" preference. Credit to Rhys Kidd and Scott Wilde for reporting this issue

  • WebKit

    CVE-ID: CVE-2007-3742

    Available for: Mac OS X v10.4.9 or later, Windows XP or Vista

    Impact: Look-alike characters in a URL could be used to masquerade a website

    Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check. Credit to Tomohito Yoshino of Business Architects Inc. for reporting this issue.

  • WebKit

    CVE-ID: CVE-2007-3944

    Available for: Mac OS X v10.4.9 or later, Windows XP or Vista

    Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution

    Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple's recommendation or endorsement. Please contact the vendor for additional information.

Last Modified: Feb 20, 2012
  • Last Modified: Feb 20, 2012
  • Article: TA24875
  • Views:

    null

Additional Product Support Information