14 DAY TRIAL // Apple recently released Safari 5.1.4, the latest version of the popular browser, bringing not only improvements in the feature department, but also some updates that address security holes that could allow an ill-intended hacker to cause some serious damage.
One of the more important issues was identified by Matt Cooley from Symantec, who noticed that the International Domain Name (IDN) support in Safari could be utilized to create URLs that contain look-alike characters.
These URLs could have been easily leveraged by an attacker in phishing and other malicious campaigns that promoted shady or dangerous products. Fortunately, the weakness was resolved with the use of an improved domain name validity check system.
A problem that posed a serious threat to the privacy of customers referred to the fact that the browsing history was recorded, even if the Private Browsing feature was active.
As far as the vulnerabilities discovered in the WebKit are concerned, a familiar name pops up. Three of the five cross-site scripting issues that existed in the WebKit were credited to Sergey Glazunov, the Russian security expert that amazed everyone by finding a flaw in Google Chrome, shortly after the browser-hacking Pwnium competition started.
Glazunov also credited a cross-origin issue in the WebKit component which could have allowed for cookies to be disclosed across origins.
A similar security hole was found by Adam Barth of Google Chrome Security Team. He demonstrated that by visiting a malicious site and by dragging content with the mouse, a cross-site scripting (XSS) attack could be launched.
Other aspects that affected the users’ privacy included an issue in the enforcement of the cookie policy and one in the HTTP authentication process.
Finally, a large number of memory corruption vulnerabilities that may have permitted the execution of arbitrary code have been addressed. Among those who discovered the flaws we find Arthur Gerkis, miaubiz, Abhishek Arya, Cris Neckar, and Aki Helin of OUSPG.
Safari 5.1.4 for Windows is available for download here Safari 5.1.4 for Mac is available for download here