14 DAY TRIAL // Safari 5.0.2, the latest version of Apple’s proprietary web browser, is now available for free download to both Mac and Windows PC users, while version 4.1.2 is also available for those running an older version of Mac OS X, 10.4 Tiger.
On the Support Downloads area of its web site, Apple reveals that Safari 5.0.2 contains improvements to compatibility and security.
Most notably, the Cupertino-based giant explains, the update fixes an issue that could prevent users from submitting web forms, and one that could cause web content to display incorrectly when viewing a Google Image result with Flash 10.1 installed.
Additionally, the new Safari establishes an encrypted, authenticated connection to the Safari Extensions Gallery.
On the Windows front, Apple particularly addressed the issue that could prevent users from submitting web forms, and included the encrypted, authenticated connection to the Safari Extensions Gallery.
The web-forms issue is also addressed in the Tiger update to Safari.
In a manner typical to the Mac maker, an additional Support document outlining the security patches in Safari 5.0.2 and Safari 4.1.2 is now available.
Both versions present issues for Mac and Windows users. One in particular is available solely for Windows PC customers.
Affecting Windows 7, Vista, XP SP2 or later, a search path issue in Safari may lead the way to arbitrary code execution. Apple details the vulnerability, found by Simon Raner of ACROS Security, as follows:
"When displaying the location of a downloaded file, Safari launches Windows Explorer without specifying a full path to the executable.
Launching Safari by opening a file in a specific directory will include that directory in the search path.
Attempting to reveal the location of a downloaded file may execute an application contained in that directory, which may lead to arbitrary code execution."
Addressed by using an explicit search path when launching Windows Explorer, the issue does not affect Mac OS X, Apple claims.
A couple more bugs are detailed in the documentation, both of which are WebKit-bound.
Affecting all platforms supported by Apple’s Safari, “an input validation issue exists in WebKit's handling of floating point data types.”
“Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution,” Apple reveals.
Addressed through improved validation of floating point values, the issue is now fixed thanks to a discovery by Luke Wagner of Mozilla, who reported the issue to Apple.
Finally, “A use after free issue exists in WebKit's handling of elements with run-in styling,” the company headquartered in Cupertino, California, notes.
Able to lead to unexpected application termination or arbitrary code execution after the uses visits a maliciously crafted website, the issue is addressed through improved handling of object pointers, according to Apple.
A person identified as wushi of team509 is credited for finding the bug and reporting it to Apple.