Safari update closes security holes
Apple has released version 5.1.4 of its Safari web browser for Windows and Mac OS X. According to the company, the maintenance and security update addresses more than 80 vulnerabilities. The update also includes includes various stability and performance improvements as well as fixes for other non-security related bugs.
A majority of the security holes closed in 5.1.4 were found in the WebKit browser engine used by Safari. These include several cross-site scripting (XSS), cross-origin and HTTP authentication problems, as well as numerous memory corruption bugs that could be exploited by an attacker, for example, to cause unexpected application termination or arbitrary code execution.
The recent issue, where Google were accused of bypassing Safari's privacy controls on cookies, also appears to have been addressed. Details of how Apple have fixed this though are not given. A bug in Safari's Private Browsing mode that allowed page visits to be recorded in the browser history when the mode was active has been fixed.
On Windows systems, the browser update improves domain name validity checking in order to prevent attackers from using look-alike characters in a URL to visually spoof a legitimate domain and direct users to a malicious site – Mac OS X systems were not affected by this issue.
A full list of security fixes can be found in About the security content of Safari 5.1.4. Safari 5.1.4 is available to download for Windows XP or later, and Mac OS X 10.6 and 10.7. Alternatively, Mac OS X users can upgrade to the new version via the built-in Software update function. All users are advised to upgrade as soon as possible.
See also:
- Apple closes security holes with iOS 5.1 and iTunes update, a report from The H.
(crve)