Apple Posts Safari 3.1.1 Update & EFI Firmware Update 1.5 for MacBook Pros

Apple posted an update to Safari that – amongst other fixes – patches 4 vulnerabilities in the Windows version and 2 in the OS X version of their flagship browser. One of the Windows issues – CVE-2007-2398 – is especially tricksy: “[the vulnerability allows] a web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered.” The sad thing is that this was fixed in a previous beta but re-introduced. Sounds like Apple developers need some remedial lessons in secure coding practices.

The truly nasty bug is CVE-2008-1026 which can allow remote code execution due to improper handling of Javascript regular expressions. Apple also calls out props to Robert Swiecki of Google Information Security Team, David Bloom and Charlie Miller for finding and reporting these bugs.

Not much information on the firmware update, but Apple claims it fixes some stability issues, so fire up Software Update!

EFI Firmware Update Info &
Safari 3.1.1 Security Info

If you experience any issues after installing either update or notice any improvements, drop a note in the comments.