14 DAY TRIAL // In usual manner, Apple has published a knowledge base article that describes the security content of Safari 5.0.1 and Safari 4.1.1. Safari 5 users have been granted extensions support with Apple launching Safari Extensions Gallery, a service that allows users to handpick their favorite extensions and enhance the quality of their web browsing experience. For Tiger, Safari 4.1.1 only brings some tweaks and fixes that are mentioned as additional changes for Safari 5.0.1. Both versions, however, bring a slew of security patches, two of which are detailed in the paragraphs to follow.
In recent tech news reports, Apple has been accused of neglecting a hole in Safari which, via the AutoFill feature, could disclose information to websites without user interaction. The bug has been patched and its discoverers have been properly credited. Apple’s official acknowledgement of the vulnerability and the newly-implemented resolution are described by the company in a Support article (HT4276) as follows:
CVE-ID: CVE-2010-1796
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later
Impact: Safari's AutoFill feature may disclose information to websites without user interaction
Description: Safari's AutoFill feature can automatically fill out web forms using designated information in your Mac OS X Address Book, Outlook, or Windows Address Book. By design, user action is required for AutoFill to operate within a web form. An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction. This can result in the disclosure of information contained within the user's Address Book Card. To trigger the issue, the following two situations are required. First, in Safari Preferences, under AutoFill, the "Autofill web forms using info from my Address Book card" checkbox must be selected. Second, the user's Address Book must have a Card designated as "My Card". Only the information in that specific card is accessed via AutoFill. This issue is addressed by prohibiting AutoFill from using information without user action. Devices running iOS are not affected. Credit to Jeremiah Grossman of WhiteHat Security for reporting this issue.
Also affecting Safari on pretty much every possible supported platform was a cross-site scripting issue residing in the browser’s handling of RSS feeds. According to the Mac maker, “Accessing a maliciously crafted RSS feed may cause files from the user's system to be sent to a remote server.” Thanks to Billy Rios of the Google Security Team, who reporting this issue, this issue is now addressed through improved handling of RSS feeds. An additional 13 holes were found in WebKit, the browsers underlying engine, which are now plugged as well. Visit Apple here to se a full list of security fixes for Safari 5.0.1 and Safari 4.1.1.