Apple finally fixed a "carpet bombing" flaw in the Windows version of its Safari web browser, but security researchers warn that the consumer electronics giant's patch only provides partial relief from bugs involving the interaction of Safari and other browser packages.

A flaw that meant Safari automatically downloaded executable files based on IE zone settings was one of three vulnerabilties in the browser addressed in an update published by Apple on Thursday.

The other two updates addressed errors in processing image files that created a memory disclosure risk and a memory corruption flaw involving the handling of JavaScript arrays.

Upgrading to version 3.1.2 addresses all three bugs, according (http://support.apple.com/kb/HT2092) to Apple.

However, security researcher Billy Rios warns that the "carpet bombing" fix is only partial. If Safari is used on a system where Firefox is also installed it might be possible to steal arbitary files, he warns. The flaw, like the carpet bombing bug before it, involves a blended threat concerning how Safari and other browser packages work together. Rios is holding back details of the bug pending a release from Apple. ®

Related stories

• Researcher warns of data-snooping bug in Apple's Safari (13 January 2009)

  http://www.channelregister.co.uk/2009/01/13/safari_data_snooping_bug/

• Apple anti-virus advice was nothing new (3 December 2008)

  http://www.theregister.co.uk/2008/12/03/apple_av_advice/

• Chrome sweeps carpet-bombing bug under the rug (22 October 2008)

  http://www.theregister.co.uk/2008/10/22/chrome_carpet_bombing/

• Apple releases bumper patch batch (16 September 2008)

  http://www.theregister.co.uk/2008/09/16/apple_security_update_sept/

• Carpetbomb bug tarnishes Google Chrome (3 September 2008)

  http://www.theregister.co.uk/2008/09/03/google_chrome_vuln/

• Mac users urged to ditch Safari (5 August 2008)

  http://www.theregister.co.uk/2008/08/05/ditch_safari_phishing_criticism/

• Firefox sweeps away carpet bombing bug (17 July 2008)

  http://www.channelregister.co.uk/2008/07/17/firefox_updates/

• Mozilla insists Firefox 3.1 won't hit bum note for developers (14 July 2008)

  http://www.theregister.co.uk/2008/07/14/firefox_3_1_ass/

• Built-in browser expiry proposed to fight botnet menace (3 July 2008)

  http://www.channelregister.co.uk/2008/07/03/browser_insecurity_survey/

• Get 'em while they're hot: critical security fixes from Microsoft, Apple (10 June 2008)

  http://www.channelregister.co.uk/2008/06/10/microsoft_and_apple_security_patches/

• Apple's carpet-bomb Safari flaw can wreak havoc on Windows (10 June 2008)

  http://www.channelregister.co.uk/2008/06/10/apple_safari_carpet_bombing_demo/

• Safari practices self-love, claims code monkey (2 June 2008)

  http://www.theregister.co.uk/2008/06/02/safari_comment/

• Microsoft urges Windows users to shun 'carpet bombing' Safari (31 May 2008)

  http://www.channelregister.co.uk/2008/05/31/microsoft_warns_against_apple_safari/

• Samsung retracts Safari phone claim (30 May 2008)

  http://www.reghardware.co.uk/2008/05/30/samsung_l870_safari_claim/

• Apple okay with Safari 'carpet bombing' vuln for now (15 May 2008)

  http://www.channelregister.co.uk/2008/05/15/apple_safari_carpet_bombing_vuln/