Safari 4.0: security fixes galore!

Stephen Withers
Tuesday, 09 June 2009 08:26

Business IT - Security

Revocation checking of Extended Validation (EV) certificates has been improved - under some circumstances checking could be bypassed, allowing a page to be loaded without warning of a revoked certificate.

Remote sites are no longer allowed to open local help files - this eliminates an opportunity for information leakage or arbitrary code execution.

The largest number of fixes are in WebKit, the framework (based the open source project of the same name) that underpins Safari and other Mac OS X applications that use HTML or JavaScript.

Issues relate to cross-site scripting, URL spoofing using Unicode characters, malicious CSS, malformed HTML tables, clickjacking, JavaScript,  cross-site image capture, XML, referencing local file: URLs, SVG animation,  local Java applets, Web Inspector, and information disclosure during when dragging content.

There's no indication in the Apple security announcement that the company has cleaned up Safari 4.0 beta's habit of leaving behind page thumbnails when the browsing history is cleared.

Nor is it clear whether all the security fixes in Safari 4.0 relate only to the previous beta release, or if any of these issues are present in version 3.x.

We've asked Apple the question, and will update this story if and when we get an answer.