Apple has released Safari 3.1.1 for download.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Releases Safari 3.1.1, Addresses PWN2OWN Vulnerability
- Thread starter bcomer
- Start date
- Sort by reaction score
Ooh! Let me guess what it fixes! Um... "general compatibility and security issues"
Edit: Well, actually, I forgot stability!
Edit: Well, actually, I forgot stability!
CVE-ID: CVE-2008-1024
Available for: Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in Safari's file downloading. By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of file downloads. This issue does not affect Mac OS X systems.
WebKit
CVE-ID: CVE-2008-1025
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista
Impact: Visiting a malicious website may result in cross-site scripting
Description: An issue exists in WebKi's handling of URLs containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack. This update addresses the issue through improved handling of URLs. Credit to Robert Swiecki of Google Information Security Team and David Bloom for reporting this issue.
WebKit
CVE-ID: CVE-2008-1026
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista
Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in WebKit's handling of JavaScript regular expressions. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller for reporting these issues.
Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple's recommendation or endorsement. Please contact the vendor for additional information."
Available for: Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in Safari's file downloading. By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of file downloads. This issue does not affect Mac OS X systems.
WebKit
CVE-ID: CVE-2008-1025
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista
Impact: Visiting a malicious website may result in cross-site scripting
Description: An issue exists in WebKi's handling of URLs containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack. This update addresses the issue through improved handling of URLs. Credit to Robert Swiecki of Google Information Security Team and David Bloom for reporting this issue.
WebKit
CVE-ID: CVE-2008-1026
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista
Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in WebKit's handling of JavaScript regular expressions. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller for reporting these issues.
Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple's recommendation or endorsement. Please contact the vendor for additional information."
Charlie Miller
Notice the last one there - a bug in WebKit that could allow arbitrary code execution (reported by Charlie Miller)? Arbitrary code execution... sounds like what happened recently when a MacBook Air was hacked at a security conference by ... oh wait, it was Charlie Miller!
http://venturebeat.com/2008/03/28/charlie-miller-making-his-name-in-mac-hacking/
Seems like the WebKit team has patched the vulnerability.
Notice the last one there - a bug in WebKit that could allow arbitrary code execution (reported by Charlie Miller)? Arbitrary code execution... sounds like what happened recently when a MacBook Air was hacked at a security conference by ... oh wait, it was Charlie Miller!
http://venturebeat.com/2008/03/28/charlie-miller-making-his-name-in-mac-hacking/
Seems like the WebKit team has patched the vulnerability.
I wonder how Gmail and MacRumors handle 3.1.1 now that's it's officially released. I had it as part of the last 10.5.3 seed and both sites considered it an unsupported browser.
Apple Releases Safari 3.1.1, Addresses PWN2OWN Vulnerability
![]()
Apple has released Safari 3.1.1 for Mac and Windows, now available via its website and Software Update.
Most significantly, Apple notes that 4 security issues have been patched in the release, one of which was recently used to successfully attack a MacBook Air in the CanSecWest PWN2OWN contest.
Article Link
Apple has released Safari 3.1.1 for Mac and Windows, now available via its website and Software Update.
Most significantly, Apple notes that 4 security issues have been patched in the release, one of which was recently used to successfully attack a MacBook Air in the CanSecWest PWN2OWN contest.
Article Link
So when will they fix the memory leaks and the occasional bla bla do you really want to close x number of tabs when it for whatever reason belive I want to close a window and not a tab with command-w?
Safari use like 1GB ram within a day and I hate when I just press enter and boom, gone.
A good undo such as the one in Opera would be nice to.
Or one can just use Opera ...
Would be sweet if they could make it so plugins work with different versions aswell, I can't run pithelmet with 3.1.
Would be nice if one could always quit it without using force quit every now and then aswell.
Safari is a piece of junk.
Safari use like 1GB ram within a day and I hate when I just press enter and boom, gone.
A good undo such as the one in Opera would be nice to.
Or one can just use Opera ...
Would be sweet if they could make it so plugins work with different versions aswell, I can't run pithelmet with 3.1.
Would be nice if one could always quit it without using force quit every now and then aswell.
Safari is a piece of junk.
This update seems to be nothing but security (i.e., no feature changes). The detail page does not say anything at all, besides linking to the security page, which then links to the security detail.
Haha.. pwn2own... Wow. My MacBook is in the shop right now, but once I get it back I'll do this update...
This, to me, means that the final version of 10.5.3 is not due out for a while--otherwise Apple wouldn't have released Safari 3.1.1 as a separate, high priority update.
But the real question is: Are large RSS feeds going to keep making it hang?
Oh and does it still leak memory?
Oh and does it still leak memory?
Great, now I have to uncheck the intrusive Safari "INSTALL ME" box for the next three weeks before I decide, "screw it" and install the new version, even though I don't want it, but I'll do it so it will stop hassling me.
I wonder if the habitual whiners in this forum are still gonna complain about Apple's "tardy reaction" to security issues...Apple not only promptly listens to its customers when it comes to OS criticism (such as Stacks), but also addresses in due course the relevant issues that are identified...
GO APPLE!
I've downloaded it, but the only problem I've ever had with Safari (on on a Vista computer) is that I couldn't download anything from websites. The download window would never work, and the files would never open.
Any suggestions?
P.S. No Windows Vista bashing, or I'll have your heads.
Any suggestions?
P.S. No Windows Vista bashing, or I'll have your heads.