updated 07:00 pm EDT, Mon June 8, 2009
Safari security updated V4
The new Safari 4.0, announced today at the WWDC keynote address, includes a host of security enhancements. Issues with CFNetworks have been resolved, with the program examining the content of CFNetwork files and treat them as HTML, and downloading files to the user's secure temporary direction location. CoreGraphics has also been enhanced, fixing memory corruption issues by improving bounds checking, error checking and input validation of TrueType font data.
ImageIO problems such as uninitialized pointer issues when opening PNG files have been resolved by performing additional validation of each image. V4.0 also fixes Internal Components for Unicode, improving handling of invalid byte sequences, therefore stopping attackers that attempt to bypass filters on websites.
libxml2 version 2.6.16 has numerous errors that can lead to application failure and arbitrary code negation. On Windows this is fixed by updating libxml2 to version 2.7.3, while on Mac OS X these issues are fixed by applying relevant patched.
Safari Windows has problems such as disclosure of sensitive information embedded in the browser cookies, and application reset malfunctions, which have been fixed. The Safari Windows Installer also resolves privilege issues by using a different compression method in the installer. On Mac, issues such as handling of Extended Validation certificates and unwanted disclosure of local file content have also been fixed.
WebKit resolves numerous problems by improving how the program handles byte order mark sequences, color settings, and style sheets. Other issues are also fixed by not rending Unicode ideographic spaces in the address bar, initializing the internal representation of HTML tables, allowing individual web pages to opt out of being displayed within a subframe, and ensuring event handlers are not able to directly affect an in-progress page transition. The update settles issues such as attackers attempts to duplicate embedded files with different security zones, and memory corruption caused by assigning an exception to a constant variable. Numerous other WebKit fixes have been made with the update.
Safari 4 is available for download from the Apple website for free.