Safari updates close security holes - Update
Apple has released version 5.1 of its free WebKit-based Safari web browser for Mac OS X and Windows. In addition to adding several new features, the latest version of the browser includes various stability and compatibility improvements, as well as fixes for numerous security-related bugs.
Safari 5.1 includes fixes for a total of 58 security vulnerabilities, including several critical holes in WebKit that could be exploited by an attacker to, for example, cause unexpected application termination or arbitrary code execution. A number of problems affecting only the Windows version of Safari have also been corrected.
For users still running Mac OS X 10.5, such as those with PowerPC-based systems, Apple has released version 5.0.6 of Safari to close the above holes. All users are advised to upgrade to the latest version as soon as possible.
More details about the updates can be found in the security advisory and in the announcement on Apple's security mailing list. Safari 5.1 is available to download from Apple's Support web site for Mac OS X 10.6.5 or later, and Windows XP, Vista, and Windows 7 – Safari 5.1 is already included with Mac OS X Lion, which was released today. Users running Mac OS X 10.5.x Leopard can install Safari 5.0.6. Alternatively, Mac OS X users can upgrade to the latest release via the built-in Software Update function.
Update: Safari 5.1 also offers new privacy and security features, including a new Privacy Pane that lets users manage the data that web sites leave on their computers, including Flash cookies (LSOs – Local Shared Objects). On Mac OS X Lion systems, the browser supports sandboxing, preventing web sites from using exploits to access a user's system.
Other improvements include better graphics through hardware acceleration for HTML5 Canvas technologies and a new process architecture that, according to Apple, "divides the heavy lifting for smoother sailing", making the browser more stable and responsive. The addition of the Private AutoFill helps users ensure that data is only inserted automatically into web forms with their authorisation.
In an advisory, Adobe has warned that its Reader and Acrobat plug-ins are not yet compatible with Safari 5.1. The company advises users who require the features offered by the plug-ins – including support for digital signatures, portfolios, guides and rights management – to continue to use Safari 5.0.x on Mac OS X, thus leaving them vulnerable to the security holes closed in the update. Users who simply want to read PDF files can use the reader built into Safari.
- About the security content of Safari 5.1 and Safari 5.0.6, security advisory from Apple.