Apple updates Safari web browser
Late on Wednesday night, Apple issued a new version of its free WebKit-based browser for Mac OS X and Windows. According to the company, Safari 5.0.4 mainly offers stability and compatibility improvements as well as numerous security-related bug fixes. For instance, the Mac version reportedly improves the stability of web pages with multiple instances of plug-in content, offers improved handling of image reflections and transition effects in HTML5, fixes a bug in connection with the printing of complex layouts, and optimises the support of VoiceOver, a technology that allows users to have the content of a website read out to them.
The Windows version of Safari can now better handle transition effects, offers improved printing, has fewer issues with YouTube HTML5 videos and also fixes bugs related to the integration of plug-in contents.
Safari 5.0.4 offers various improvements in terms of security: Apple says that it has fixed several dozen bugs, including critical holes, in WebKit under Mac OS X. On the Windows platform, these issues were already addressed via the Windows version of iTunes 10.2, but they had still remained unsolved under Mac OS X. As usual, a list of all security-related bug fixes can be found in an Apple support document. Safari is available for Mac OS X 10.6 (37.65 MB), Windows (33.97 MB) and Mac OS X 10.5 (46.83 MB).
However, the update leaves further holes unpatched – but any related information is currently (hopefully) still in safekeeping. At the Pwn2Own contest, which started yesterday (Wednesday), Safari was one of the first browsers to become the victim of an exploit. Security firm VUPEN demonstrated an attack on the Mac OS X version of Safari and won $15,000. Many Mac applications try to protect themselves from the effects of certain bugs via the Data Execution Prevention (DEP) mechanism, but VUPEN's exploit used return-oriented programming.
Charlie Miller said that he also has an exploit for Safari up his sleeve, but that he didn't get to demonstrate it because the order of contestants to demonstrate their exploits is decided by a draw; VUPEN were drawn to appear first. However, Miller's exploit reportedly still functions in the updated version – whether the expert will save it for next year's Pwn2Own is unknown.
- Apple releases Java security updates, a report from The H.
- Hackers versus Apple - An interview with Charlie Miller and Dino Dai Zovi, a feature from The H.