14 DAY TRIAL // With the release of Safari 4.0.3 yesterday, Apple not only improved stability and compatibility with the software, but also included a number of security fixes, detailed in a Support document on the company’s official web site.
Affecting Safari 4 for Windows and Mac (Tiger and Leopard), a total of 6 vulnerabilities have recently been discovered in the browser and patched with the Safari 4.0.3 update. For example, with the help of SecureThoughts.com, Apple has discovered that a maliciously crafted website may be promoted into Safari's Top Sites view.
In the case of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista, it is possible for a malicious website to promote arbitrary sites into the Top Sites view through automated actions. The Top Sites feature provides an at-a-glance view of a user's favorite websites.
“This could be used to facilitate a phishing attack,” Apple explains on its web site. “This issue is addressed by preventing automated website visits from affecting the Top Sites list. Only websites that the user visits manually can be included in the Top Sites list. As a note, Safari enables fraudulent site detection by default. Since the introduction of the Top Sites feature, fraudulent sites are not displayed in the Top Sites view,” the company reveals.
A WebKit issue has been patched following the discovery that “look-alike characters in a URL could be used to masquerade a website,” Apple warns. “The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters,” the company explains. “These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by supplementing WebKit's list of known look-alike characters. Look-alike characters are rendered in Punycode in the address bar,” the description ends. Credited for reporting this issue is Chris Weber of Casaba Security, LLC.
Other issues, relating to CoreGraphics and ImageIO, have also been patched in Safari 4.0.3. Full details on the security content of Safari 4.0.3 can be found over at Apple’s Support section. In the meanwhile, readers can download the latest version of Safari for Mac OS X using the link below.