Just a couple days after our bemoaning the relatively long wait for a fix to the recent CanSecWest Safari vulnerability, Apple has now released Safari 3.1.1, which claims to fix that very bug. According to the release notes:

1. Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution
   Description: A heap buffer overflow exists in WebKit's handling of JavaScript regular expressions. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller for reporting these issues.
   

Charlie Miller was the researcher at CanSecWest who won the MacBook Air by using the vulnerability to take over the machine. Clearly this is not one of those “theoretical vulnerabilities,” so this particular fix should certainly be installed quickly on all machines using Safari 3.1. Mr. Miller did the right thing by not disclosing the actual bug until Apple had it fixed, but now that it’s fixed its details will no doubt come out, and unfixed machines will be at risk.

It took Apple about 3 weeks after notification to issue the fix. To us here, that feels like a awfully long time. A lot can go wrong in the 3 weeks. But in the overall scheme of things, maybe it’s not really that long after all.