Safari 4 addresses numerous security vulnerabilities
At the 2009 World Wide Developer Conference (WWDC) in San Francisco, Apple announced the release of Safari 4, its web browser built on the open source WebKit browser engine, for Windows and Mac OS X. The release addresses several bugs and over 50 security vulnerabilities found in the public beta released at the end of February.
Vulnerabilities in the CFNetwork framework that allowed the disclosure of sensitive information, or the execution of JavaScript contained inside downloaded image files, have been fixed. Five issues in CoreGraphics on Windows XP and Vista have been addressed to correct memory corruption vulnerabilities that could lead to the execution of arbitrary code. A vulnerability in ImageIO that allowed arbitrary code execution through processing a maliciously crafted PNG file has been fixed. Internal Components for Unicode (ICU) have been updated to prevent maliciously crafted content from bypassing website filters, leading to cross-site scripting (XSS) attacks.
Version 2.6.16 of libxml2 contained several vulnerabilities that could lead to the execution of arbitrary code. The Windows version of libxml2 was updated to version 2.7.3 and on Mac, the issues were addressed by applying the relevant OS patches. Multiple problems in the Windows version of Safari that allowed the disclosure of sensitive information embedded inside of browser cookies not removed when the private browsing and reset Safari features were used, have also been fixed.
Safari's handling of Extended Validation (EV) certificates has been updated, as it previously would not always display a certificate warning on a website with a revoked EV certificate. A bug in the Safari Windows installer that allowed Safari to run with elevated privileges on its initial launch has also been corrected.
Updates to the WebKit browser engine include numerous fixes to prevent cross-site scripting attacks, memory corruption issues that could lead to the execution of arbitrary code and information disclosure vulnerabilities.
Safari 4 now also supports the prevention of clickjacking attacks through the "X-frame options" header. Clickjacking refers to attacks where malformed web pages place items like a transparent iFrame under the mouse pointer. Users think that they are clicking on an item on the page, but instead actually click on elements contained within the iFrame that can, for example, lead to malware and Phishing sites.
More details about the security and privacy features included in the new version of the browser can be found on Apple's Safari 4 page. All users are advised to update their browsers as soon as possible. Safari 4 is available to download for Windows XP, Vista, Mac OS X 10.4.11 and 10.5.7.
See also:
- About the security content of Safari 4.0, security advisory from Apple.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
