Following a recent rush of concern regarding the security associated with Apple’s Safari web browser when running on Microsoft’s Windows operating systems, the Cupertino-based computer and gadget specialist has delivered a fix that patches four notable security gaps, including the ‘carpet bomb’ vulnerability.
Apple offers up glitch fixes via Safari 3.1.2 update. Image: Apple.
The Safari ‘carpet bomb’ exploit (CVE-2008-2540), if left unaddressed, would have enabled attackers to covertly download and run harmful files through the Windows operating system, leaving the user’s computer desktop open to being crammed with unwanted and potentially malicious files.
“Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop,” outlines Apple in reference to its carpet bomb fix. “To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user’s Downloads folder on Windows Vista, and to the user’s Documents folder on Windows XP.”
The new Safari 3.1.2 update, which Apple recommends for all Safari users, also eliminates other Windows-specific problems connected with GIF and BMP image files, the Internet Explorer 7 browser, and the WebKit Javascript array.
Specifically, affecting users of both Windows XP and Windows Vista, the 3.1.2 update fixes error CVE-2008-1573, which can lead to memory disclosure caused by an out-of-bounds memory read vulnerability when dealing with GIF or BMP imagery.
And, with regard to the execution of glitch CVE-2008-2306, which involves the IE7 web explorer on XP and Vista, Apple explains that: “If a Web site is in an Internet Explorer 7 zone with the ‘Launching applications and unsafe files’ setting set to ‘Enable,’ or if a Web site is in the Internet Explorer 6 ‘Local intranet’ or ‘Trusted sites’ zone, Safari will automatically launch executable files that are downloaded from the site.”
Apple has fixed this hiccup by adjusting Safari so that it no longer launches downloaded executable files automatically and instead seeks to first prompt the user -- if ‘always prompt’ has been set as a parameter.
Finally, the update deals with memory corruption vulnerability CVE-2008-2307, which refers to an error with WebKit’s handling of Javascript arrays that could cause a sudden application termination or arbitrary code execution when the user unwittingly lands on a malicious site.
Get the official Safari 3.1.2 update right now by clicking HERE.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story