AAPL Stock: 118.88 ( + 1.13 )

Printed from

Safari 4 resolves numerous security issues

updated 07:00 pm EDT, Mon June 8, 2009

Safari security updated V4

The new Safari 4.0, announced today at the WWDC keynote address, includes a host of security enhancements. Issues with CFNetworks have been resolved, with the program examining the content of CFNetwork files and treat them as HTML, and downloading files to the user's secure temporary direction location. CoreGraphics has also been enhanced, fixing memory corruption issues by improving bounds checking, error checking and input validation of TrueType font data.

ImageIO problems such as uninitialized pointer issues when opening PNG files have been resolved by performing additional validation of each image. V4.0 also fixes Internal Components for Unicode, improving handling of invalid byte sequences, therefore stopping attackers that attempt to bypass filters on websites.

libxml2 version 2.6.16 has numerous errors that can lead to application failure and arbitrary code negation. On Windows this is fixed by updating libxml2 to version 2.7.3, while on Mac OS X these issues are fixed by applying relevant patched.

Safari Windows has problems such as disclosure of sensitive information embedded in the browser cookies, and application reset malfunctions, which have been fixed. The Safari Windows Installer also resolves privilege issues by using a different compression method in the installer. On Mac, issues such as handling of Extended Validation certificates and unwanted disclosure of local file content have also been fixed.

WebKit resolves numerous problems by improving how the program handles byte order mark sequences, color settings, and style sheets. Other issues are also fixed by not rending Unicode ideographic spaces in the address bar, initializing the internal representation of HTML tables, allowing individual web pages to opt out of being displayed within a subframe, and ensuring event handlers are not able to directly affect an in-progress page transition. The update settles issues such as attackers attempts to duplicate embedded files with different security zones, and memory corruption caused by assigning an exception to a constant variable. Numerous other WebKit fixes have been made with the update.

Safari 4 is available for download from the Apple website for free.

by MacNN Staff



  1. phillymjs

    Joined: Dec 1969



    Still doesn't leave the cursor in the Google search field if it's in there when you create a new tab.

    The Choose File... button doesn't work in Outlook Web Access, nor can I select a photo to upload to Facebook.

    Both of these issues existed in the beta and I reported them as bugs. Oh well, at least the tabs are back to normal.

  1. jpellino

    Joined: Dec 1969


    Jpeg dragging works.

    jpeg files dragged to the finder no longer have an additional ".jpeg" suffix added to their existing suffix as they did in the beta. Anyone know if we can turn Java back on yet?

  1. testudo

    Joined: Dec 1969



    Nope, because the problem is with java, not safari. But give apple some time. 6 months is not enough time to fix a security issue.

  1. Chris Hutcheson

    Joined: Dec 1969



    Still seems to have problems working with fckedit in some applications - updating in Joomla seemed to resolve this, but not so much in Drupal. Seems odd, when it works (and has for years) with Firefox

  1. shawnde

    Joined: Dec 1969


    re: Annoyances...

    Hmm, I didn't know you could access Outlook Web Access on Safari? I thought that was an ActiveX control. Have they changed it?

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented