AAPL Stock: 107.72 ( -5.04 )

Printed from

Safari 4 resolves numerous security issues

updated 07:00 pm EDT, Mon June 8, 2009

Safari security updated V4

The new Safari 4.0, announced today at the WWDC keynote address, includes a host of security enhancements. Issues with CFNetworks have been resolved, with the program examining the content of CFNetwork files and treat them as HTML, and downloading files to the user's secure temporary direction location. CoreGraphics has also been enhanced, fixing memory corruption issues by improving bounds checking, error checking and input validation of TrueType font data.

ImageIO problems such as uninitialized pointer issues when opening PNG files have been resolved by performing additional validation of each image. V4.0 also fixes Internal Components for Unicode, improving handling of invalid byte sequences, therefore stopping attackers that attempt to bypass filters on websites.

libxml2 version 2.6.16 has numerous errors that can lead to application failure and arbitrary code negation. On Windows this is fixed by updating libxml2 to version 2.7.3, while on Mac OS X these issues are fixed by applying relevant patched.

Safari Windows has problems such as disclosure of sensitive information embedded in the browser cookies, and application reset malfunctions, which have been fixed. The Safari Windows Installer also resolves privilege issues by using a different compression method in the installer. On Mac, issues such as handling of Extended Validation certificates and unwanted disclosure of local file content have also been fixed.

WebKit resolves numerous problems by improving how the program handles byte order mark sequences, color settings, and style sheets. Other issues are also fixed by not rending Unicode ideographic spaces in the address bar, initializing the internal representation of HTML tables, allowing individual web pages to opt out of being displayed within a subframe, and ensuring event handlers are not able to directly affect an in-progress page transition. The update settles issues such as attackers attempts to duplicate embedded files with different security zones, and memory corruption caused by assigning an exception to a constant variable. Numerous other WebKit fixes have been made with the update.

Safari 4 is available for download from the Apple website for free.

by MacNN Staff





  1. phillymjs

    Joined: Dec 1969



    Still doesn't leave the cursor in the Google search field if it's in there when you create a new tab.

    The Choose File... button doesn't work in Outlook Web Access, nor can I select a photo to upload to Facebook.

    Both of these issues existed in the beta and I reported them as bugs. Oh well, at least the tabs are back to normal.

  1. jpellino

    Joined: Dec 1969


    Jpeg dragging works.

    jpeg files dragged to the finder no longer have an additional ".jpeg" suffix added to their existing suffix as they did in the beta. Anyone know if we can turn Java back on yet?

  1. testudo

    Joined: Dec 1969



    Nope, because the problem is with java, not safari. But give apple some time. 6 months is not enough time to fix a security issue.

  1. Chris Hutcheson

    Joined: Dec 1969



    Still seems to have problems working with fckedit in some applications - updating in Joomla seemed to resolve this, but not so much in Drupal. Seems odd, when it works (and has for years) with Firefox

  1. shawnde

    Joined: Dec 1969


    re: Annoyances...

    Hmm, I didn't know you could access Outlook Web Access on Safari? I thought that was an ActiveX control. Have they changed it?

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Blue Yeti Studio

Despite being very familiar with Blue Microphones' lower-end products -- we've long recommended the company's Snowball line of mics ...

ZTE Spro 2 Smart Projector

Home theaters are becoming more and more accessible these days, but maybe you've been a bit wary about buying a home projector. And h ...

MSI Geforce GTX 970 100ME

When Nvidia announced a new line of video cards in September 2014, many people thought things would continue to be business as usual i ...


Most Commented