Apple releases Safari 5.0.5, Security Update 2011-002
Apple issued a new version of its free WebKit-based Safari web browser for Mac OS X and Windows. According to the company, Safari 5.0.5 includes fixes for security vulnerabilities in WebKit, both of which have also been addressed in Apple's recent iOS updates.
Reported through Tipping Point's ZeroDay Initiative, these include an integer overflow when handling nodesets, found by Vincenzo Iozzo, Willem Pinckaers, Ralf-Philipp Weinmann and others, and a use after free issue in the handling of text nodes, discovered by Vupen and Martin Barbella, that could be exploited by an attacker, for example, to cause unexpected application termination or arbitrary code execution. For an attack to be successful, a victim must first visit a maliciously crafted web site.
Apple has also released Security Update 2011-002 for systems running version 10.5 and 10.6 of Mac OS X. Like its recent iOS updates, this one also blocks the fraudulent SSL certificates that were issued after an attacker compromised the Comodo SSL Certification Authority.
The update only applies to Mac OS X systems and adds the bad certificates to a hard-wired blacklist. It does not activate the Keychain's certificate revocation checks which was a suggested security measure for Safari users on Mac OS X. If the revocation checks are not enabled, users are still exposed if a CA is compromised in future. On Windows systems, Safari relies on the certificate store of the host operating system to determine if an SSL server certificate is trustworthy.
Further details about the security update can be found in Apple's Safari 5.0.5 and Security Update 2011-002 security mailing list announcements. Safari 5.0.5 is available to download for Windows 7, Vista, XP and Mac OS X 10.5.8 or later from Apples web site. Users can download the Security Update 2011-002 for Mac OS X 10.5 Leopard (Client, Server) and 10.6 Snow Leopard from the company's support pages.
Mac OS X users can upgrade to the latest release via the built-in Software Update function. All users are advised to upgrade to the latest release as soon as possible.
- About the security content of Safari 5.0.5, security advisory from Apple.
- About Security Update 2011-002, security advisory from Apple.
- iOS update for iPhone and iPad blocks fake certificates, a report from The H.