May 8, 2 p.m. ET
Your prospects are sourcing new services at an ever increasing rate, which gives you the opportunity to stand out! In order to seize this opportunity, you need compelling IT services that support core business needs, are high value, drive profits and are cost effective to deliver. Join this eSeminar and learn how to structure and manage services to expand your customer base. Register now, attend live or view
on-demand!
The Safari 3.1.1 update includes a patch
for the flaw that allowed the hijack of a MacBook Air laptop at the CanSecWest "PWN to OWN" security contest.
Apple has slapped a Band-Aid on its Safari for Windows browser to cover four
vulnerabilities that could lead to code execution, cross-site scripting and URL
spoofing attacks.
According to Apple's advisory, the CanSecWest bug was a heap buffer overflow in
WebKit's handling of JavaScript regular expressions. WebKit is an open-source Web
browser engine used by Safari.
"The issue may be triggered via JavaScript when processing regular
expressions with large, nested repetition counts. This may lead to an
unexpected application termination or arbitrary code execution," Apple
warned, crediting contest winner Charlie Miller and TippingPoint Technologies'
Zero Day Initiative for reporting the issue.
The Safari update, which is available for Windows XP, Windows Vista and Mac OS
X (Tiger and Leopard), also provides the following fixes, according to Apple:
CVE-2008-1024 (available for Windows XP or Vista)—"A
memory corruption issue exists in Safari's file downloading. By enticing a user
to download a file with a maliciously crafted name, an attacker may cause an
unexpected application termination or arbitrary code execution. … This issue
does not affect Mac OS X systems."
CVE-2008-1025 (available for Mac OS X , Windows XP or Vista)—"An
issue exists in WebKit's handling of URLs containing a colon character in the
host name. Opening a maliciously crafted URL may lead to a cross-site scripting
attack." The Google Information Security Team is credited with finding
this vulnerability.
CVE-2007-2398 (available for Windows XP or Vista)—"A
timing issue in Safari 3.1 allows a Web page to change the contents of the
address bar without loading the contents of the corresponding page. This could
be used to spoof the contents of a legitimate site, allowing user credentials
or other information to be gathered. This issue was addressed in Safari Beta
3.0.2, but reintroduced in Safari 3.1."
Test drive and take home three new products!
Attend the upcoming launch of three powerful new products, take a test drive, meet the teams, and leave with promotional copies of Windows Server® 2008, Microsoft® SQL Server® 2008, and Microsoft Visual Studio® 2008. Register today!>>
Tech-Ed 2008 Microsoft’s premier technical education conference for developers and IT professionals.
June 3-6 & 10-13 | Orlando, FL Register today!
Sponsored by Ziff Davis Enterprise Group
DOWNLOADABLE ROI CALCULATORS & TOOLS FROM BASELINE
Calculate Cost and ROI of Spam, VOIP, RFID, Sarbanes-Oxley and more...
