Three days after unleashing a bug-infested beta version of its Safari browser on Windows users, Apple has released an update plugging three serious holes that could allow miscreants to commandeer a user's machine.

The fixes are available by downloading Safari 3.0.1 Public Beta for Windows (http://www.apple.com/safari/download/) or by using the "Apple Software Update" application, which is installed with the most recent Windows version of QuickTime or iTunes. Mac users are unaffected by the vulnerabilities and need not take action.

The ink wasn't even dry on Tuesday's press release announcing the Windows beta when at least three separate researchers said they found gaping holes in Safari, which Apple likes to say was designed "to be secure from day one."

Among the flaws was one discovered (http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/) by security researcher Thor Larholm that could allow a specially-crafted website to execute malicious code on a Windows machine running Safari. Aviv Raff (http://aviv.raffon.net/CommentView,guid,54A1DB79-0ECB-4F13-99AE-45BAB70C4256.aspx#a0ac5417-013d-43ae-9abc-7d265113892c) and David Maynor (http://erratasec.blogspot.com/2007/06/niiiice.html) also pokes holes in the rookie browser.

We are genuinely impressed with the swiftness of this update. Yes, it indicates Apple is serious about being an important browser contender for Windows users. But it also shows that the company is bringing the requisite urgency to providing users with products that are secure.

That said, we wouldn't be at all surprised if other security flaws are discovered in Safari for Windows over the coming weeks or months. Windows users who aren't researchers or software developers may want to think twice about using Safari while it's still in beta. ®

Related stories

Apple's carpet-bomb Safari flaw can wreak havoc on Windows (10 June 2008)
http://www.theregister.co.uk/2008/06/10/apple_safari_carpet_bombing_demo/
QuickTime streaming media exploit targets unpatched bug (26 November 2007)
http://www.theregister.co.uk/2007/11/26/quicktime_exploit/
QuickTime update fixes code-execution holes (6 November 2007)
http://www.theregister.co.uk/2007/11/06/new_quicktime_update/
Mozilla confirms own URL handling bug (25 July 2007)
http://www.theregister.co.uk/2007/07/25/firefox_url_bug/
Safari gets four new fixes (26 June 2007)
http://www.theregister.co.uk/2007/06/26/four_safari_fixes/
Apple TV gets its first critical security patch (20 June 2007)
http://www.theregister.co.uk/2007/06/20/critical_appletv_patch/
Apple's Safari lacks bold vision (13 June 2007)
http://www.theregister.co.uk/2007/06/13/safari_cant_see_bold/
Security researchers poke holes in Safari (12 June 2007)
http://www.theregister.co.uk/2007/06/12/safari_security_bugs/
Apple's Safari 3: a crashing experience for non-US users (12 June 2007)
http://www.theregister.co.uk/2007/06/12/safar_crashing_experience/
Jobs chucks Leopard titbits to Apple masses (12 June 2007)
http://www.theregister.co.uk/2007/06/12/jobs_wwdc_07_leopard/
Jobs: one more thing... a browser war (12 June 2007)
http://www.theregister.co.uk/2007/06/12/apple_browser_war_safari_firefox/
Programming for Silverlight: a Q&A with Microsoft (11 May 2007)
http://www.theregister.co.uk/2007/05/11/silverlight_programming_q_and_a/
Apple patches security hole in QuickTime (2 May 2007)
http://www.theregister.co.uk/2007/05/02/apple_quicktime_patch/
QuickTime, not Safari, to blame for MacBook vuln (25 April 2007)
http://www.theregister.co.uk/2007/04/25/quicktime_vuln_fells_mac/