Apple Patches Three Bugs In Safari For Windows Beta

Just days after researchers started pulling up bug after bug in Apple's shiny new Safari for Windows beta release, the company issued a new version of the software that patches three of the vulnerabilities.

Safari 3.0.1 Public Beta for Windows fixes two flaws that only affect the Windows version of Apple's browser, along with one vulnerability that affects Windows and also could crash the browser running on the Mac OS X operating system.

"I think it was obvious they had to do this to save the day since there were so many problems with the release," said Johannes Ullrich, chief research officer of the SANS Institute and chief technology officer for the Internet Storm Center, in an interview. "For a beta product like this, it's really in development, so it's for people to play with and test. And they really have."

Ullrich said it's hard to track how many bugs have been found in the beta software this week because some have been posted, but are unproven, and yet others may be duplicates. He estimates that there have been five to 10 proven vulnerabilities found since Monday.

Alfred Huger, vice president of Security Response at Symantec, said he has a tally of four proven Safari for Windows bugs. "It speaks well that they've turned patches around so quickly," he said in an interview. "It's a positive sign that they're being responsible. How quickly a vendor responds is part and parcel of the quality of the software."Since this is a beta release, Ullrich said he expects to see fairly frequent updates coming out.

According to an Apple advisory issued Thursday, a command injection vulnerability in the original beta could be used to trigger remote code execution. The bug could be exploited if the user visits a malicious Web site. This update fixes the vulnerability by performing additional processing and URL validation, according to the advisory.

The two other bugs being fixed in this beta version also can be exploited if a user visits a malicious Web site.

One bug could allow cross-site scripting. The flaw enables a hacker to gain access to JavaScript objects or to remotely execute JavaScript in the context of another Web page. This flaw does not affect Mac OS X systems.

Apple describes the last bug being patched as an out-of-bounds memory read issue, which could lead to unexpected application termination or arbitrary code execution when a user visits a malicious Web site. This, too, does not affect Mac OS X systems.The patches are quick on the heels of widespread news that researchers have been finding a mounting number of vulnerabilities in the beta. Researchers were finding flaws in the new browser's coding within an hour of its release, according to Ullrich.

This for the browser that Apple touted as enabling "worry-free" browsing. "Apple engineers designed Safari to be secure from day one," the company said on its Web site.

Researchers, who generally don't delve all that forcefully into Apple's code looking for vulnerabilities, were lured to this beta because it's a Windows version of the browser. And researchers typically comb through Windows applications, particularly browsers.