Apple on Wednesday released an update to its Safari Web browser for Mac OS X and Windows. The new release is available for download from Apple’s Web site and through the Software Update system preference.
Apple indicates in its release note that Safari 3.1.1 “includes improvements to stability, compatibility and security,” though the company did not offer any further clarification in that note. Apple recommends the update for all Safari users.
In a separately published tech note, Apple offered more details about what Safari 3.1.1 fixes in terms of security. Issues that affect the Mac version of Safari include a change to WebKit to improve handling of URLs to prevent cross-site scripting, and additional validation of JavaScript regular expressions to help prevent a heap buffer overflow that can cause Safari to unexpectedly quit or execute code.
The WebKit change fixes the flaw that earned one security researcher $10,000 at the CanSecWest security conference.
The flaw was exploited by Independent Security Evaluators Researcher Charlie Miller to gain access to a MacBook Air computer three weeks ago. It lies in the WebKit open-source HTML rendering engine used by Safari and several other Mac OS X programs.
There was one other winner in the CanSecWest PWN 2 OWN contest, which invited hackers to try to break into Windows, Mac and Linux computers. Shane Macaulay, a researcher with the Security Objectives consultancy, hacked into a Vista machine using an Adobe Flash Player bug, which was patched last week.
WebKit is also part of Apple’s Dashboard and Mail software. An Apple spokesman could not say whether users of those products were also at risk from this attack.
In an e-mail interview, Miller said anything that used an older version of WebKit would be vulnerable. This might include Linux browsers and mobile-phone browsers, he said.
A second WebKit flaw, patched Wednesday, could lead to a cross-site scripting attack, in which an attacker can do things such as steal the login credentials or log the keystrokes of a victim.
Both the Windows and Mac OS X versions of Safari are vulnerable to these WebKit flaws, Apple said in its security advisory.
Robert McMillan of IDG News Service contributed to this report.
Updated at 5:15 p.m. PT to include more information on the WebKit changes and the CanSecWest security conference from IDG News Service.