Apple plugs three Windows Safari holes

Safari for Windows plugs some holes, but not all

Apple has released an update to the beta of its Safari 3 browser for Windows that repairs three vulnerabilities. 

Two of the repaired flaws could allow an attacker to take control of a system. A third exposes the user to a cross-site scripting vulnerability that could lead to disclosure of confidential information.

Security researchers took just hours to find the first security holes after Apple released a beta of the browser on Monday. Researchers have reported a total of seven security vulnerabilities. 

One of the repaired vulnerabilities was discovered by Thor Larholm, although Apple did not credit the researcher.

"Given that Apple has a lousy track record with security on OS X, and a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted at this new Windows browser," he wrote when he disclosed his vulnerability in a blog posting on Tuesday. 

In another posting on Thursday, Larholm claimed that the update is still ignoring several weak spots in the browser that allow him to crack the security again with a few tweaks to his original exploit. 

Safari 3 is currently in beta making it unlikely that people are using the software as their primary browser. This will limit the risk that attackers will target the vulnerabilities.

Breaking with the way the company traditionally discloses security flaws, Apple did not post details of the update on its security updates site but disclosed them in an email to a mailing list. 

Apple is breaking with common procedures in other areas too. The update to the application is listed as version 3.01, but it is uncommon to change version numbers of software when in the testing phase.