With Safari 5, Apple plugs four dozen holes
Latest version of Safari browser fixes vulnerabilities that could allow an attacker to take control of the computer, if someone just visited a malicious Web site, among other scenarios.
Apple has released the latest version of its Safari browser that includes fixes for four dozen security holes, mostly in the open-source WebKit technology and many of which leave a computer open to compromise by drive-by-download attacks from visiting a malicious Web page.
Safari 5 for Windows and Mac debuted on Monday. The impact on security issues is detailed in this advisory, which applies to Safari 5.0 and Safari 4.1.
The release updates the browser to display a warning before navigating to an HTTP (Hypertext Transfer Protocol) or HTTPS (secure HTTP) Web address containing user information, to better protect against phishing attacks, removes a heap buffer overflow in the handling of images using ColorSync technology, and addresses an issue in Safari's handling of PDF files.
The software also plugs 44 holes in WebKit alone that could allow for numerous types of attacks and compromises, including: information disclosure from dragging or pasting links or images; cross-site scripting attacks; unexpected actions on other sites caused by interacting with a malicious Web page; data leakage from visiting an HTTPS site that redirects to a less secure HTTP site; data being sent to an IRC server by visiting a malicious Web site; and a plethora of the garden-variety arbitrary code execution attack from visiting a malicious site.
Microsoft on Tuesday issued 10 security bulletins, fixing 34 vulnerabilities in one of its largest Patch Tuesdays to date. Meanwhile, Adobe said it would issue a patch for a critical hole in its Flash technology being exploited in the wild by delivering an update for Flash Player by Thursday, and for Adobe Reader and Acrobat by June 29.