Apple closes 23 critical holes in Safari
Apple has released versions 5.0.3 and 4.1.3 of Safari, updates that address several security vulnerabilities in the WebKit-based browser. In total, the Safari updates fix 27 security holes in the browser's open source WebKit rendering engine, most of them rated as critical.
According to Apple, 23 of the vulnerabilities could allow an attacker to crash a victims browser or execute arbitrary code on a user's system. For an attack to be successful, a victim must first visit a specially crafted web page. Additional issues include exploits that could, for example, allow web sites to surreptitiously track users or allow malicious sites to disclose image data from another web site. Other changes include fixes for DNS pre-fetching and a bug that allowed some sites to spoof the address in the location bar or add arbitrary locations to the history.
In addition to the above security issues, the browser updates correct an issue that could cause content using the Flash 10.1 plug-in to overlap web page content, add more reliable pop-up blocking, improve JavaScript and VoiceOver stability and provide fixes for search and text input fields on netflix.com and facebook.com.
Safari 5.0.3 is available to download for Mac OS X 10.5.8 Leopard, 10.6.2 Snow Leopard and Windows XP SP2 or later. Alternatively, Safari 4.1.3 is provided for users running Mac OS X 10.4.11 Tiger. Mac OS X users can upgrade to the latest release via the built-in Software Update function. All users are advised to upgrade to the latest release as soon as possible.
See also:
- About the security content of Safari 5.0.3 and Safari 4.1.3, security advisory from Apple.
- Apple re-posts Mac OS X Server 10.6.5 update, a report from The H.
- Apple releases Mac OS X 10.6.5 update, a report from The H.
(crve)