Safari Users On Windows: Wipe Out 'Carpet Bombing' Threat with Version 3.1.2


At Last, Apple Steps Up to Fix a Big Safari Flaw

ZDNet's Zero Day blog reports that Apple's new 3.1.2 version of Safari for Windows XP and Vista fixes the 'carpet bombing' flaw we told you about early this month . The combination of Safari and Internet Explorer on Windows made it possible to 'carpet bomb' the Windows desktop (Safari's default download location) with files, including malware files. Why? Safari, unlike other browsers, doesn't ask the user for permission to download files.

3.1.2's Other Security Fixes

Safari 3.1.2 also torpedoes three other security problems plaguing Windows XP and Vista users:

    • A fix for the combination of IE7 and Safari on Windows being used to automatically launch executable files from a website in the IE 'Trusted Sites' or 'Intranet' zones
    • A fix for WebKit's handling of JavaScript arrays, which can lead to memory corruption
    • A fix for an out-of-bounds memory read error when handling BMP or GIF images

This quartet of fixes makes Safari 3.1.2 a non-brainer update for current Safari users running Windows. You can read the entire security advisory here , and download Safari 3.1.2 manually here .

While You're Downloading, Grab a New QuickTime, Too

If you haven't updated QuickTime to version 7.5, you should. QuickTime 7.5, released earlier this month, fixes a number of security issues for MacOS as well as Windows.

Around the web