The Mac Security Blog

Security & Privacy

Apple Updates Safari Web Browser; Security Fixes Included

Posted on by

Apple has released version 5 of its Safari web browser for Mac OS X and Windows, along with a security update for Safari 4.1, for those users unable to use version 5 (which requires Mac OS X 10.6, Snow Leopard). The updates contain dozens of security fixes for the Safari program, as well as for WebKit, the program’s HTML rendering engine which is also used by other programs. Some of the fixes correct the following bugs:

  • A maliciously crafted URL may be obfuscated, making phishing attacks more effective
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • Visiting a maliciously crafted website and dragging or pasting links or images may send files from the user’s system to a remote server
  • Dragging or pasting a selection may lead to a cross-site scripting attack
  • Visiting a maliciously crafted website may cause files to be created in arbitrary user-writable locations
  • Interacting with a maliciously crafted website may result in unexpected actions on other sites
  • Visiting an HTTPS site which redirects to an HTTP site may lead to an information disclosure
  • Visiting a maliciously crafted website may result in sending remotely specified data to arbitrary TCP ports
  • A user’s NTLM credentials may be exposed to a man in the middle attacker
  • Visiting a maliciously crafted website may disclose images from other sites
  • Visiting a maliciously crafted website may change the contents of the clipboard
  • A maliciously crafted website may be able to determine which sites a user has visited

The wide variety of possible vulnerabilities listed above is a sobering reminder that one of the main vectors of security threats today is the web. All of the above, it is important to note, can take place with no user interaction: often the “maliciously crafted websites” are hacked to include links that will exploit vulnerabilities; it’s not even the user who has to go into the dark alleys of the Internet to get hit. This is why today’s security software has to protect against web threats as well as malware.

Comments are closed.