Apple has updates out for security problems in WebCore (Mac OS X’s HTML layout engine) and WebKit, the application framework that serves as an underpinning for many Mac applications. The issue concerning Apple’s WebKit browser engine, could make a Mac OS X application user vulnerable to attack if he or she were to visit a maliciously crafted site. Security Update 2007-006 takes care of an HTTP injection bug that occurs in WebCore’s XMLHttpRequest when it’s serializing headers into an HTTP request. The vulnerability can lead to cross-site scripting attacks if a victim is be lured to a maliciously crafted site. The WebCore issue affects Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later and Mac OS X Server v10.4.9 or later.
WebKit serves as an engine for the Safari browser as well as many other Mac OS X applications, including Dashboard and Mail. The problem with WebKit is an invalid type conversion when rendering frame sets, which can lead to memory corruption. Results range from the application quitting on up to a targeted system getting hijacked with arbitrary code execution. Apple’s update for the WebKit glitch is available for Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later and Mac OS X Server v10.4.9 or later.
Download: Security Update 2007-006
Apple, Security, Patch, Updates