Apple releases Safari security updates
Apple has issued updates for Safari, versions 5.02 and 4.1.2, to address several security vulnerabilities in the WebKit-based browser. In total, the Safari updates close 3 security holes, all of them rated as critical by Apple.
Two of the vulnerabilities relate to problems in the browser's open source WebKit rendering engine and reportedly affect all platforms. The issues are caused by an input validation problem in the way that the browser engine handles floating point data types and a bug in the handling of elements with run-in styling. According to Apple, they could allow an attacker to crash a victims browser or execute arbitrary code on a user's system. For an attack to be successful, a victim must first visit a specially crafted web page.
A third issue affecting only Windows systems that could have led to arbitrary code execution has also been corrected. Other changes include web form fixes and, when connecting to the Safari Extensions Gallery, the browser now establishes an encrypted, authenticated connection.
Safari 5.0.2 is available to download for Mac OS X 10.5.8 Leopard, 10.6.2 Snow Leopard and Windows XP SP2 or later. Alternatively, Safari 4.1.2 provided for users running Mac OS X 10.4.11 Tiger. Mac OS X users can upgrade to the latest release via the built-in Software Update function. All users are advised to upgrade to the latest release as soon as possible.
- About the security content of Safari 5.0.2 and Safari 4.1.2, security advisory from Apple.
- iTunes 10 addresses 13 security vulnerabilities, a report from The H.