Safari 4 addresses numerous security vulnerabilities
At the 2009 World Wide Developer Conference (WWDC) in San Francisco, Apple announced the release of Safari 4, its web browser built on the open source WebKit browser engine, for Windows and Mac OS X. The release addresses several bugs and over 50 security vulnerabilities found in the public beta released at the end of February.
Version 2.6.16 of libxml2 contained several vulnerabilities that could lead to the execution of arbitrary code. The Windows version of libxml2 was updated to version 2.7.3 and on Mac, the issues were addressed by applying the relevant OS patches. Multiple problems in the Windows version of Safari that allowed the disclosure of sensitive information embedded inside of browser cookies not removed when the private browsing and reset Safari features were used, have also been fixed.
Safari's handling of Extended Validation (EV) certificates has been updated, as it previously would not always display a certificate warning on a website with a revoked EV certificate. A bug in the Safari Windows installer that allowed Safari to run with elevated privileges on its initial launch has also been corrected.
Updates to the WebKit browser engine include numerous fixes to prevent cross-site scripting attacks, memory corruption issues that could lead to the execution of arbitrary code and information disclosure vulnerabilities.
Safari 4 now also supports the prevention of clickjacking attacks through the "X-frame options" header. Clickjacking refers to attacks where malformed web pages place items like a transparent iFrame under the mouse pointer. Users think that they are clicking on an item on the page, but instead actually click on elements contained within the iFrame that can, for example, lead to malware and Phishing sites.
More details about the security and privacy features included in the new version of the browser can be found on Apple's Safari 4 page. All users are advised to update their browsers as soon as possible. Safari 4 is available to download for Windows XP, Vista, Mac OS X 10.4.11 and 10.5.7.
- About the security content of Safari 4.0, security advisory from Apple.