Remote code execution vulnerabilities affecting WebCore and WebKit. WebCore vulnerabilities are in the handling of malicious XMLHttpRequest function calls, leading to application crashes and arbitrary code execution, while the WebKit vulnerabilities are in the handling of framesets

Description:

A couple of malicious vulnerabilities have been discovered affecting different components of OS X's support for handling HTML and JavaScript calls. In the worst case, these vulnerabilities can lead to a remote attacker being able to take control over a vulnerable system, or crashing the application that is accessing those system components.

Mitigation:

Apply Security Update 2007-006 at the earliest opportunity. If users are also using the Safari 3 Beta, they will find that a combined Safari Update will install the Security Update 2007-006 patches alongside the Safari Update.

Updates:

http://www.apple.com/support/downloads/

Source:

http://docs.info.apple.com/article.html?artnum=61798

Exploits:

CVE-ID: CVE-2007-2401 CVE-ID: CVE-2007-2399