Apple on Friday posted Security Update 2007-006,
available for download
from the Web site and from the Software Update system preference. The update can be applied to Mac OS X v10.3.9 and Mac OS X v10.4.9.
The update makes changes to WebCore, Apple’s framework for providing an HTML layout engine for Mac OS X, and WebKit, Apple’s application framework that serves as a basis for the Safari Web browser. Two issues are addressed by this update.
In WebCore, visiting a malicious Web site can allow cross-site requests by exploiting the XMLHttpRequest command. This update performs additional validation of header parameters to avoid that problem. And in WebKit, a maliciously crafted Web site can cause an unexpected application termination or arbitrary code execution. The update corrects that issue.