14 DAY TRIAL // Apple has released new versions of its Safari browser in order to address a significant number of vulnerabilities, many of which allow for arbitrary code execution.
Apple's newly published security advisory mentions 27 flaws discovered and patched in Safari 4 and 5 for Mac and Safari 5 for Windows.
The new versions are Safari 4.1.3 for Mac OS X v10.4.11 (Tiger) and Safari 5.0.3 for Mac OS X v10.5.8 (Leopard), Mac OS X v10.6.4 (Snow Leopard), as well as Windows 7, Vista and XP.
Users are strongly advised to deploy these updates immediately as most of the addressed vulnerabilities can be exploited in drive-by download attacks.
Drive-by downloads occur when users visit maliciously crafted Web pages, which load exploits targeting arbitrary code execution flaws in popular software.
They are a common malware infection vector, especially on Windows systems, and the attacks are completely transparent to victims.
The pages rigged with malicious code are usually hosted on legit websites that have been compromised by attackers.
All security bugs patched in the new Safari releases are located in the WebKit layout engine, which is also used by other Apple products or third-party programs like Google Chrome.
In fact, several of the vulnerabilities covered in these updates have already been patched in Chrome or iOS during the past few months.
Many of them were reported to Apple by members of the Google Chrome Security Team or other regular contributors to the Chromium project, such as kuzzcc or wushi of team509.
Aside from the remote code execution bugs, a flaw (CVE-2010-3813) that forces DNS prefetching even when it's disabled has also been fixed.
Another one (CVE-2010-3810) allows inserting arbitrary locations into the browser history or spoofing the address bar location, which can enhance phishing attacks.
An information disclosure issue (CVE-2010-3259), stemming from a cross-origin error when handling canvas images, was also addressed.
So was a bug (CVE-2010-3804) allowing websites to track Safari users without the need of cookies, hidden form elements or IP addresses.
Safari 5.0.3 and 4.1.3 for Mac can be downloaded here.
Safari 5.0.3 for Windows can be downloaded here.