Safari 4.0: security fixes galore!

Stephen Withers
Tuesday, 09 June 2009 07:26

Business IT - Security

Safari 4.0 delivers a laundry list of security fixes. Many of them are Windows-specific, but that still leaves plenty that also apply to Mac OS X.

Apple has disclosed 48 security fixes in Safari 4.0, 11 of them specific to Windows.

Let's get the problems peculiar to the Windows implementation out of the way first.

Issues include temporary files being created in insecure locations while downloading; the possibility of arbitrary code execution triggered by malicious web pages containing graphics, embedded fonts, PDF files; cross-site scripting attacks taking advantage of Unicode handling; failing to remove cookies after private browsing; failing to immediately remove website passwords from memory when resetting Safari; and running Safari for the first time with elevated permissions.

Some of these issues were previously addressed by updates to Mac OS X.

Cross-platform flaws are similarly varied.

Certain image files may misidentified as HTML, allowing the possibility that embedded JavaScript will be executed without prompting the user for permission to proceed.

The libxml2 library has been updated to avoid multiple vulnerabilities, at least of which can lead to arbitrary code execution.

Please read on for more issues fixed in Safari 4.0 - and a problem that's not mentioned.