Safari 4.0.2 addresses WebKit vulnerabilities
Apple has closed two vulnerabilities in Safari 4, its web browser built on the open source WebKit browser engine, for Windows and Mac OS X. In addition to stability improvements to the Nitro JavaScript engine, Safari 4.0.2 addresses two WebKit vulnerabilities that could allow for the execution of arbitrary code or lead to a cross-site (XSS) scripting attack.
A critical vulnerability caused by a memory corruption issue in WebKit's handling of numeric character references that could allow for the execution of arbitrary code, has been closed. A second vulnerability caused by an issue with WebKit's handling of the parent and top objects that could have lead to a cross-site scripting attack, has also been fixed. For the attacks to be successful, a victim must first visit a maliciously crafted website.
All users are advised to update their browsers as soon as possible. Safari 4.0.2 is available to download for Windows XP, Vista, Mac OS X 10.4.11 and 10.5.7.
See also:
- About the security content of Safari 4.0.2, Apple security advisory.
(crve)