Just yesterday, Apple released Safari 4.0.5 to the public
, an update recommended for all Safari users, as it includes improvements to performance, stability, and security. Talking about the last one, Apple has revealed in a Support document on its website that a total of 16 holes were in need of patching, all of which have been plugged in Safari 4.0.5.
A number of issues described in Support document HT4070
are typical to the Windows version of Apple’s web browser. However, over half of the vulnerabilities mentioned as fixed in Safari 4.0.5 affected both Mac and Windows installments. For example, a vulnerability affecting only Windows
users of Safari is described as follows:
“An integer overflow that could result in a heap buffer overflow exists in the handling of images with an embedded color profile. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution. The issue is addressed by performing additional validation of color profiles. This issue does not affect Mac OS X systems.”
Apple credits Sebastien Renaud of the VUPEN Vulnerability Research Team for reporting this issue, thanks to whom the company was able to issue this patch. As for the issues affecting both Mac and Windows versions of Safari, “An implementation issue exists in the handling of cookies set by RSS and Atom feeds,” Apple reveals, describing another plugged hole.
“Visiting or updating a feed may result in a cookie being set, even if Safari is configured to block cookies via the ‘Accept Cookies’ preference. This update addresses the issue by respecting the preference while updating or viewing feeds.” Apple either forgets to include credits to whomever found the issue, or it was one of its own technicians that discovered and corrected the code.
For a complete list of Safari 4.0.5 security fixes, visit Apple’s Support section here
. The company appears to have kicked off an Online Support Survey aiming to gather suggestions on how to improve the website. We’re looking into it right now. Stick around for more details on this particular topic.