Home Internet Security Apple Improves Security of Safari by Patching Flaws

Apple Improves Security of Safari by Patching Flaws

Posted: November 13, 2009

This week was very busy for Apple because of the seven released patches.

The first security update, released on Monday, refers to Mac OS X Leopard and Snow Leopard. The second update, issued on Wednesday, goes to a new version of Safari Web browser, available for Mac, PC, and iPhone operating systems. The newest update deals with a lot of security threats, such as remote code execution, system crashing and information disclosure bugs, Apple explained in its advisory. Both the Mac OS X and Windows versions of Safari need to be updated to version 4.0.4.

The freshly released Safari 4.0.4 stops up what seems to be like moderate-to-severe security issues. Differently from rivals Internet Explorer, Firefox, and Chrome, Apple doesn't rate the severity of its security flaws. Malicious XML, FTP and ColorSync profiles embedded in images and in the WebKit engine, the open-source foundation of Safari, could be created to crash or exploit Windows and Mac versions of Safari on the opened Web sites.

Using shortcut menu options within a maliciously crafted Web site could have led to unsuspected network security threats, such as local information disclosure and arbitrary code execution, when other maliciously written websites are visited. Only Windows versions of Safari are prone to the embedded image color profile deceit, while an exploit that could enable email to distantly access audio and video content when loading a remote image impacts Macs only.

Of the seven flaws that Safari 4.0.4 blocks, six affect the little-used Windows version of the browser, six influence Mac OS X 10.4, aka Tiger, however, only three apply to Mac OS X 10.5 and 10.6, Leopard and Snow Leopard, respectively. Although in contrast to the operating system security update released on Monday, which didn't provide patches for Mac OS X 10.4, Wednesday's upgrade involves users, who run Safari on that 2005 operating system. Apple traditionally stops deliver security updates for its oldest still-supported OS several months after the issue of a new edition, but evidently will further support Safari on Tiger.

Safari 4.0.4 for Windows or Mac can be downloaded from Apple's website. Active users of the Safari browser can get the new version by running Software Update on the Mac or the bundled Apple Software Update on Windows. Safari 4.0.4 also enhances JavaScript performance. If SunSpider JavaScript Benchmark is run, Safari 4.0.4 is 1.08 times as fast version 4.0.3 overall, with considerable growths in many tests. The final and most important thing to note is that Safari 4.0.4 does not damage ClickToFlash. The last security update Safari received was in mid-August, when Apple fixed six security issues, four of them critical.