Safari 3.1 includes security fixes

Stephen Withers
Wednesday, 19 March 2008 01:16

Business IT - Technology

Even if you're not moved by Apple's claims about Safari 3.1's speed, there are other good reasons to install the new version.

Most of the security fixes in Safari proper are specific to the Windows version as those issues have already been solved (or never existed in) Mac OS X.

These relate to SSL certificate validation (fixed by Security Update 2007-008, Mac OS X 10.4.11 and 10.5 or later), proxy servers that deliver fake copies of secure pages (fixed in Mac OS X 10.5.2 or Security Update 2008-002 for Mac OS X 10.4.11) or a certain cross-site scripting attack that does not affect Mac OS X.

Another cross-site scripting attack - one that uses exploits a flaw in the handling of javascript: URLs - is addressed on both platforms. Safari 3.1 carries out additional validation to prevent malicious sites from causing the execution of JavaScript in another site's context.

Another nine fixes have been applied to the WebCore and WebKit frameworks used by Safari and other applications, and these affect Mac OS X and Windows.

Seven of them relate to cross-site scripting vulnerabilities, another is an 'over the shoulder' vulnerability (it seems the Kotoeri input method sometimes failed to display the contents of password input fields as bullets)  and the ninth is another example of our old favourite, the buffer overflow issue with the possibility of executing arbitrary code.

Apple also claims Safari 3.1 is the first browser to support the new video and audio tags in HTML 5 and the first to support CSS Animations.

CONTINUED