Apple update fixes 11 Safari security flaws
Published: 14 Nov 2008 12:23 GMT
On Thursday, Apple released Safari 3.2. Although the update affects both Mac and Windows users, many of the Mac updates were provided in Apple's October update for Mac OS X users. The update includes eight fixes specific to Safari and three specific to WebKit.
Safari 3.2 is available via the Apple Software Update application, the Apple Downloads page or Apple's Safari download site.
Safari-1
This patch affects Safari users on Windows XP or Vista.
This update addresses multiple vulnerabilities in zlib 1.2.2 detailed within CVE-2005-2096.
Apple credited Robbie Joosten of bioinformatics@school, and David Gunnells of the University of Alabama at Birmingham for reporting the vulnerabilities.
Safari-2
This patch affects users of Windows XP or Vista.
This update addresses the security issue in the libxslt library detailed within CVE-2008-1767 in which processing an XML document may lead to an unexpected application termination or arbitrary code execution.
Apple credited Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of the Google Security Team for finding the vulnerability.
Safari-3
This patch affects users of Windows XP or Vista.
The update addresses the heap buffer overflow issue that exists in the CoreGraphics handling of colour spaces detailed within CVE-2008-3623, in which viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution.
Apple credited itself for finding the vulnerability.
Safari-4
This patch affects users of Windows XP or Vista.
This update addresses the security issue detailed within CVE-2008-2327 in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
Apple credited itself for finding the vulnerability.
Safari-5
This patch affects users of Windows XP or Vista.
The update addresses the vulnerabilities detailed within CVE-2008-2332, in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Specifically, a memory-corruption issue exists in ImageIO's handling of embedded ICC profiles in JPEG images.
Apple credited Robert Swiecki of the Google Security Team for finding the vulnerability.
Safari-6
This patch affects users of Windows XP or Vista.
This update addresses the security issue detailed within CVE-2008-3608, in which viewing a large, maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution.
Apple credited itself for finding the vulnerability.
Safari-7
This patch affects users of Windows XP or Vista.
This update addresses the security issue detailed within CVE-2008-3642, in which viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution.
Competition
Win a Yoggie Gatekeeper Card Pro
Gatekeeper Card Pro is designed to protect laptops in and out of the office. Enter soon though, as the competition ends on 17 November
Apple credited itself for finding the vulnerability.
Safari-8
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, or Windows XP or Vista.
The update addresses the vulnerabilities detailed within CVE-2008-3644, in which disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a local user.
Apple credited an anonymous researcher for finding the vulnerability.
WebKit-1
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, or Windows XP or Vista.
This update addresses the security issue detailed within CVE-2008-2303, in which visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
Apple credited SkyLined of Google for finding the vulnerability.
WebKit-2
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, and Windows XP or Vista.
The update addresses the vulnerabilities detailed within CVE-2008-2317, in which visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Specifically, a memory-corruption issue exists in WebCore's handling of style sheet elements. The issue has already been addressed in systems running Mac OS X v10.5.5.
Apple credited the TippingPoint Zero Day Initiative for finding the vulnerability.
Webkit-3
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, and Windows XP or Vista.
This update addresses the security issue detailed within CVE-2008-4216, in which visiting a maliciously crafted website may lead to the disclosure of sensitive information. This update addresses the issue by restricting the types of URLs that may be launched via the plug-in interface.
Apple credited Billy Rios of Microsoft and Nitesh Dhanjani of Ernst & Young for finding this vulnerability.
Credit: Apple updates Safari with 11 security fixes from CNET News.com
Did you find this article useful?
3 out of 3 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
