Apple issues Safari for Windows update

Apple has rolled out Safari 3.1.2 for Windows

Apple has issued an update for the Windows version of its Safari web browser.

In addition to minor stability fixes, the Safari 3.1.2 for Windows update addresses four security vulnerabilities ranging in severity from information disclosure to the ability to remotely execute code.

Apple is advising all Windows users to install the update, which can be obtained through Apple's software update service or by visiting the Apple Downloads site. The update does not affect Mac users.

The most notable of the four security fixes is the so-called 'carpet bomb' condition disclosed by Microsoft earlier this month.

This flaw could allow malware within a website designated by Internet Explorer as a trusted site to run without user input.

Apple said that it solved the problem by removing Safari's ability automatically to launch downloaded files. The company also added an option to the browser's preferences to require user authorisation before starting any download.

The download prompt was also part of another fix to address a flaw in which files saved directly to the Windows desktop could be launched automatically and potentially used to infect users.

The update changes the default download location to a special folder, rather than directly to the Windows desktop.

Other fixes include a patch for a remote code execution vulnerability in JavaScript handling, as well as a vulnerability in which a specially crafted .bmp or .gif could be used to retrieve memory contents and possibly obtain sensitive user data.