Apple has issued security updates to patch four vulnerabilities in Mac OS X and the Safari beta, marking the
second time in eight days that the company has had to fix its newest browser, which runs on both Mac and Windows XP and Vista machines.
The 2007-006 update for Mac OS X 10.3, "Panther" and 10.4 "Tiger," fixes a pair of problems in Safari -- the production-quality versions bundled with the operating system -- including a memory corruption vulnerability that could end with an attacker in control of the Mac. "Visiting a maliciously crafted Web page may lead to an unexpected application termination or arbitrary code execution," Apple said in its alert.
The second bug, and to Apple, the less serious of the two, is a cross-site scripting flaw (XSS) in Safari that could be used by phishing sites to steal usernames and passwords.
Apple last week also updated the Safari beta first released June 11, to version
3.0.2 for both Mac and Windows. Mac Safari 3.0.2 patches another XSS bug, while the Windows edition fixes that, plus a separate vulnerability that could let an attacker disguise the browser's address bar, perhaps as part of a spoofed site meant to trick users into divulging confidential information, such as bank account passwords.
For Mac users, 2007-006 and the Safari update are mutually exclusive. If a Mac user has installed Safari Beta 3, only the Safari update will be offered; users who haven't bothered to try out the beta will see only the standard Mac OS X update. Windows users can update Safari to 3.0.2 by downloading the new version from Apple's site, or by running the optional Apple Software Update utility.
The just-patched Safari bugs were credited to a team at Adobe Systems, as well as to researchers at Westnet, an Australian Internet service provider, and Westpoint, a UK-based security company.