Apple has updates out for security problems in WebCore—Mac OS Xs HTML layout engine—and WebKit, the application framework that serves as an underpinning for Apples Safari browser as well as many other Mac applications.
Security Update 2007-006 takes care of an HTTP injection bug that occurs in WebCores XMLHttpRequest when its serializing headers into an HTTP request. The vulnerability can lead to cross-site scripting attacks if a victim is be lured to a maliciously crafted site.
The WebCore issue affects Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, and Mac OS X Server v10.4.9 or later.
The other issue, concerning Apples WebKit browser engine, could also make a Mac OS X application user vulnerable to attack if he or she were to visit a maliciously crafted site.
WebKit serves as an engine not only for the Safari browser but also for many other Mac OS X applications, including Dashboard—a set of widgets that delivers real-time weather, stock tickers, flight status and other information—and Mail, the Apple mail client provided with every Mac operating system installation.
The problem with WebKit is an invalid type conversion when rendering frame sets, which can lead to memory corruption. Results range from the application quitting on up to a targeted system getting hijacked with arbitrary code execution.
Apples update for the WebKit glitch is available for Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, and Mac OS X Server v10.4.9 or later.
These updates can be downloaded and installed automatically via Apples Software Update preferences, or from Apple Downloads.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.