Safari 4.0.1 Adopts IE Security Enhancements

Safari 4.0.1 is the first update shipped for the latest iteration of Apple's Mac OS X browser, which made its way to Windows starting with version 3.0. For both the 4.0.1 and the plain vanilla 4.0 flavors the Cupertino-based hardware company has included security enhancements introduced by Microsoft for Internet Explorer. Yes, despite the claim that “Apple engineers designed Safari to be secure from day one,” featured on one of the webpages associated with the browser, Apple is in fact borrowing security improvements, and from no other than Internet Explorer, a product trashed time and again because of security-related issues.

In this regard, Safari 4.0 has embraced not only features specific to IE8, but also some delivered as early as IE6. “Version 4 of the Safari web browser now supports the HTTPOnly directive for cookies introduced by IE6 SP1. Now, all major browsers support the directive, which can help mitigate the impact of XSS exploits,” explained Eric Lawrence, a program manager on the Internet Explorer team.

When it launched Internet Explorer 6, Microsoft was looking for a way to block access to cookies for attackers leveraging a client-side script. In this regard, the Redmond company debuted a new feature, essentially an attribute for cookies, now also sported by Safari. “A cookie with this attribute is called an HTTP-only cookie. Any information contained in an HTTP-only cookie is less likely to be disclosed to a hacker or a malicious Web site,” Microsoft explained.

But of course there's more. “Safari 4 also now supports the X-FRAME-OPTIONS directive introduced by IE8 to help sites prevent ClickJacking attacks. At the moment, this protection isn't yet available in Firefox unless you install the NoScript addon, but it looks like Mozilla is working on it,” Lawrence stated. Safari 4.0 for Windows was launched earlier this month. IE8 RTW went live in mid-March 2009.

Internet Explorer 8 (IE8) RTW is available for download here (for 32-bit and 64-bit flavors of Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008).