Apple Releases Safari 3.1.1, Addresses PWN2OWN Vulnerability

Discussion in 'MacRumors.com News Discussion' started by bcomer, Apr 16, 2008.

  1. bcomer macrumors member

    Joined:
    Jan 25, 2008
    Location:
    Ottawa
    #1
    Apple has released Safari 3.1.1 for download.
     
  2. Sky Blue Guest

    Sky Blue

    Joined:
    Jan 8, 2005
  3. Tallest Skil macrumors P6

    Tallest Skil

    Joined:
    Aug 13, 2006
    Location:
    1 Geostationary Tower Plaza
    #3
    Ooh! Let me guess what it fixes! Um... "general compatibility and security issues"

    Edit: Well, actually, I forgot stability!
     
  4. BoyBach macrumors 68040

    BoyBach

    Joined:
    Feb 24, 2006
    Location:
    UK
    #4
    According to Software Update:


    EDIT: p.s. It also requires a restart.
     
  5. MacMan33 macrumors regular

    MacMan33

    Joined:
    Jun 27, 2007
    Location:
    Chicago
    #5
    hope this makes a difference, it has been crazing on me for awhile now...:rolleyes:
     
  6. hodgjy macrumors 6502

    Joined:
    Apr 15, 2005
    #6
    Does anyone know if this is based on a newer version of Webkit?
     
  7. sblasl macrumors 6502a

    sblasl

    Joined:
    Apr 25, 2004
    Location:
    Heber Springs, AR
    #7
    CVE-ID: CVE-2008-1024
    Available for: Windows XP or Vista
    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
    Description: A memory corruption issue exists in Safari's file downloading. By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of file downloads. This issue does not affect Mac OS X systems.


    WebKit
    CVE-ID: CVE-2008-1025
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista
    Impact: Visiting a malicious website may result in cross-site scripting
    Description: An issue exists in WebKi's handling of URLs containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack. This update addresses the issue through improved handling of URLs. Credit to Robert Swiecki of Google Information Security Team and David Bloom for reporting this issue.


    WebKit
    CVE-ID: CVE-2008-1026
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista
    Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution
    Description: A heap buffer overflow exists in WebKit's handling of JavaScript regular expressions. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller for reporting these issues.

    Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple's recommendation or endorsement. Please contact the vendor for additional information."
     
  8. -Alan- macrumors member

    Joined:
    Mar 10, 2007
    #8
    Safari Reset

    I was hoping Safari's Reset would be fixed. The reset doesn't work reliably. You have to change an option each time for it to work.
     
  9. jas8522 macrumors newbie

    Joined:
    Dec 31, 2007
    #9
    Charlie Miller

    Notice the last one there - a bug in WebKit that could allow arbitrary code execution (reported by Charlie Miller)? Arbitrary code execution... sounds like what happened recently when a MacBook Air was hacked at a security conference by ... oh wait, it was Charlie Miller!

    http://venturebeat.com/2008/03/28/charlie-miller-making-his-name-in-mac-hacking/

    Seems like the WebKit team has patched the vulnerability.
     
  10. Morod macrumors 68000

    Morod

    Joined:
    Jan 1, 2008
    Location:
    On The Nickel, over there....
    #10
    Did someone say "snappier"? :D
    I downloaded it, not sure that I see a difference yet.
    Morod
     
  11. dejo Moderator

    dejo

    Staff Member

    Joined:
    Sep 2, 2004
    Location:
    The Centennial State
    #11
    I wonder how Gmail and MacRumors handle 3.1.1 now that's it's officially released. I had it as part of the last 10.5.3 seed and both sites considered it an unsupported browser.
     
  12. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #12
    Apple Releases Safari 3.1.1, Addresses PWN2OWN Vulnerability

    [​IMG]

    Apple has released Safari 3.1.1 for Mac and Windows, now available via its website and Software Update.

    Most significantly, Apple notes that 4 security issues have been patched in the release, one of which was recently used to successfully attack a MacBook Air in the CanSecWest PWN2OWN contest.

    Article Link
     
  13. -Alan- macrumors member

    Joined:
    Mar 10, 2007
    #13
    Safari Reset

    I was hoping Safari's Reset would be fixed. The reset doesn't work reliably. You have to change an option each time for it to work.

    (I made this same post to the other thread)
     
  14. aliquis- macrumors 6502a

    Joined:
    May 20, 2007
    #14
    So when will they fix the memory leaks and the occasional bla bla do you really want to close x number of tabs when it for whatever reason belive I want to close a window and not a tab with command-w?

    Safari use like 1GB ram within a day and I hate when I just press enter and boom, gone.

    A good undo such as the one in Opera would be nice to.

    Or one can just use Opera ...

    Would be sweet if they could make it so plugins work with different versions aswell, I can't run pithelmet with 3.1.

    Would be nice if one could always quit it without using force quit every now and then aswell.

    Safari is a piece of junk.
     
  15. Toe macrumors 65816

    Toe

    Joined:
    Mar 25, 2002
    #15
    This update seems to be nothing but security (i.e., no feature changes). The detail page does not say anything at all, besides linking to the security page, which then links to the security detail.
     
  16. ShiggyMiyamoto macrumors 6502a

    ShiggyMiyamoto

    Joined:
    Mar 29, 2004
    Location:
    Just outside Boston, MA.
    #16
    Haha.. pwn2own... Wow. My MacBook is in the shop right now, but once I get it back I'll do this update...
     
  17. hodgjy macrumors 6502

    Joined:
    Apr 15, 2005
    #18
    This, to me, means that the final version of 10.5.3 is not due out for a while--otherwise Apple wouldn't have released Safari 3.1.1 as a separate, high priority update.

     
  18. firstapple macrumors 6502a

    firstapple

    Joined:
    Sep 25, 2007
    #19
    I wouldn't expect any features in a 3.1.x update. Simply security fixes. Can't complain too much about that right?

    An added note though... 39 MB's??? Geez, must be quite the security fixes
     
  19. BlakTornado Guest

    BlakTornado

    Joined:
    Apr 24, 2007
    Location:
    Washington, OH
    #20
    But the real question is: Are large RSS feeds going to keep making it hang?

    Oh and does it still leak memory?
     
  20. Clive At Five macrumors 65816

    Clive At Five

    Joined:
    May 26, 2004
    Location:
    St. Paul, MN
    #21
    Great, now I have to uncheck the intrusive Safari "INSTALL ME" box for the next three weeks before I decide, "screw it" and install the new version, even though I don't want it, but I'll do it so it will stop hassling me.
     
  21. 50548 Guest

    Joined:
    Apr 17, 2005
    Location:
    Currently in Switzerland
    #22
    I wonder if the habitual whiners in this forum are still gonna complain about Apple's "tardy reaction" to security issues...Apple not only promptly listens to its customers when it comes to OS criticism (such as Stacks), but also addresses in due course the relevant issues that are identified...

    GO APPLE!
     
  22. bob-innox macrumors newbie

    Joined:
    Apr 3, 2008
    #23
    What's with all the "Requires a restart" nonsense?

    Is this to make it compatible with Windows?
     
  23. Pippen Man macrumors regular

    Joined:
    Jan 15, 2008
    #24
    I've downloaded it, but the only problem I've ever had with Safari (on on a Vista computer) is that I couldn't download anything from websites. The download window would never work, and the files would never open.

    Any suggestions?

    P.S. No Windows Vista bashing, or I'll have your heads. :)
     
  24. TheSpecialist macrumors 6502

    Joined:
    Jun 11, 2007
    Location:
    The Netherlands, Europe
    #25
    Apple Software Update is now version 2.1 for Windows:D!
     

Share This Page