Two of the repaired flaws could allow an attacker to take over control of a system. A third one exposes the user to a cross-site-scripting vulnerability that could lead to disclosure of confidential information.
It took security researchers only hours to find the first security holes after Apple released a beta of the browser on Monday. Researchers have reported a combined seven security vulnerabilities.
One of the repaired vulnerabilities was discovered Thor Larholm, although Apple didn't credit the researcher.
"Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser," he wrote when he disclosed his vulnerability in a blog posting on Tuesday.
In another posting on Thursday, he charged that the update is still ignoring several weak spots in the browser that will allow him to crack the browser's security again with a few tweaks to his original exploit.
Safari 3 is currently in beta. It is therefore unlikely that people are using the software as their primary browser, limiting the risk that attackers will target the vulnerabilities.
Breaking with the way the company traditionally discloses security flaws, Apple didn't post details of the update on its security updates site but only disclosed them in an email to a mailing list.
Apple is breaking with common procedures in other areas too. The update to the application is listed as version 3.01, but it's common to change version numbers of software when it's in a testing phase.
Apple plugs some Windows Safari security holes
By Tom Sanders on Jun 15, 2007 10:19AM