 |
|
|
Last month, we reported about the contest organized by
TippingPoint in Vancouver, Canada. During that contest Charlie
Miller broke into a MacBook Air in just two minutes by exploiting an unknown
vulnerability in Safari Browser. He won a MacBook Air and $10,000.
Yesterday afternoon, Apple issued the version 3.1.1 of
Safari to address, amongst other security issue, the vulnerability discovered
by Miller.
The update has 39MB and it is available for both versions of
Safari, for Windows and for Mac.
In the official description of the update, Apple noted:
“CVE-ID: CVE-2008-1026 -
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista.
Description: A heap buffer overflow exists in WebKit’s handling of JavaScript
regular expressions. The issue may be triggered via JavaScript when processing
regular expressions with large, nested repetition counts. This may lead to an
unexpected application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of JavaScript regular
expressions. Credit to Charlie Miller for reporting these issues.”
Another two updates, CVE-ID: CVE-2007-2398 and CVE-ID:
CVE-2008-1024, were released only for the PC version of Safari. Apple urged all
users to patch their Safari.
Safari version 3.1 for Mac OS X and Windows XP/Vista was
launched by Apple last month. Safari supports CSS animations, CSS web fonts,
and HTML 5 media support, it offers improved SVG support, and HTML 5's offline
storage support, among other features.
Apple boasts that Safari loads pages up to 1.9 times faster
than Internet Explorer 7 and up to 1.7 times faster than Firefox 2; and it
executes JavaScript up to 6 times faster than Internet Explorer 7 and up to 4
times faster than Firefox 2.
© 2007 - 2008 - eFluxMedia