Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security > Security Fixes and Improvements

November 19th, 2010, 07:22 GMT · By

Critical Vulnerabilities Patched in Safari

SHARE:

Adjust text size:


Safari 5.0.3 and 4.1.3 released
Enlarge picture
Apple has released new versions of its Safari browser in order to address a significant number of vulnerabilities, many of which allow for arbitrary code execution.

Apple's newly published security advisory mentions 27 flaws discovered and patched in Safari 4 and 5 for Mac and Safari 5 for Windows.

The new versions are Safari 4.1.3 for Mac OS X v10.4.11 (Tiger) and Safari 5.0.3 for Mac OS X v10.5.8 (Leopard), Mac OS X v10.6.4 (Snow Leopard), as well as Windows 7, Vista and XP.

Users are strongly advised to deploy these updates immediately as most of the addressed vulnerabilities can be exploited in drive-by download attacks.

Drive-by downloads occur when users visit maliciously crafted Web pages, which load exploits targeting arbitrary code execution flaws in popular software.

They are a common malware infection vector, especially on Windows systems, and the attacks are completely transparent to victims.

The pages rigged with malicious code are usually hosted on legit websites that have been compromised by attackers.

All security bugs patched in the new Safari releases are located in the WebKit layout engine, which is also used by other Apple products or third-party programs like Google Chrome.

In fact, several of the vulnerabilities covered in these updates have already been patched in Chrome or iOS during the past few months.

Many of them were reported to Apple by members of the Google Chrome Security Team or other regular contributors to the Chromium project, such as kuzzcc or wushi of team509.

Aside from the remote code execution bugs, a flaw (CVE-2010-3813) that forces DNS prefetching even when it's disabled has also been fixed.

Another one (CVE-2010-3810) allows inserting arbitrary locations into the browser history or spoofing the address bar location, which can enhance phishing attacks.

An information disclosure issue (CVE-2010-3259), stemming from a cross-origin error when handling canvas images, was also addressed.

So was a bug (CVE-2010-3804) allowing websites to track Safari users without the need of cookies, hidden form elements or IP addresses.

Safari 5.0.3 and 4.1.3 for Mac can be downloaded here.

Safari 5.0.3 for Windows can be downloaded here.

TELL US WHAT YOU THINK:

1,014 hits · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Apple Pulls Plug on Flash Player Updates
Apple Addresses Flurry of Security Issues with iOS 4.1
Apple Plugs Critical Holes in Safari

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use