This article has been archived and is no longer updated by Apple.

About the security content of Safari 5.1.4

This document describes the security content of Safari 5.1.4.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".

Safari 5.1.4

  • Safari

Available for: Windows 7, Vista, XP SP2 or later

Impact: Look-alike characters in a URL could be used to masquerade a website

Description: The International Domain Name (IDN) support in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This issue is addressed through an improved domain name validity check. This issue does not affect OS X systems.

CVE-ID

CVE-2012-0584 : Matt Cooley of Symantec

  • Safari

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, OS X Lion Server v10.7.3, Windows 7, Vista, XP SP2 or later

Impact: Web page visits may be recorded in browser history even when Private Browsing is active

Description: Safari’s Private Browsing is designed to prevent recording of a browsing session. Pages visited as a result of a site using the JavaScript methods pushState or replaceState were recorded in the browser history even when Private Browsing mode was active. This issue is addressed by not recording such visits when Private Browsing is active.

CVE-ID

CVE-2012-0585 : Eric Melville of American Express

  • WebKit

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, OS X Lion Server v10.7.3, Windows 7, Vista, XP SP2 or later

Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack

Description: Multiple cross-site scripting issues existed in WebKit

CVE-ID

CVE-2011-3881 : Sergey Glazunov

CVE-2012-0586 : Sergey Glazunov

CVE-2012-0587 : Sergey Glazunov

CVE-2012-0588 : Jochen Eisinger of Google Chrome Team

CVE-2012-0589 : Alan Austin of polyvore.com

  • WebKit

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, OS X Lion Server v10.7.3, Windows 7, Vista, XP SP2 or later

Impact: Visiting a maliciously crafted website may lead to the disclosure of cookies

Description: A cross-origin issue existed in WebKit, which may allow cookies to be disclosed across origins.

CVE-ID

CVE-2011-3887 : Sergey Glazunov

  • WebKit

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, OS X Lion Server v10.7.3, Windows 7, Vista, XP SP2 or later

Impact: Visiting a maliciously crafted website and dragging content with the mouse may lead to a cross-site scripting attack

Description: A cross-origin issue existed in WebKit, which may allow content to be dragged and dropped across origins.

CVE-ID

CVE-2012-0590 : Adam Barth of Google Chrome Security Team

  • WebKit

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, OS X Lion Server v10.7.3, Windows 7, Vista, XP SP2 or later

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues existed in WebKit.

CVE-ID

CVE-2011-2825 : wushi of team509 working with TippingPoint's Zero Day Initiative

CVE-2011-2833 : Apple

CVE-2011-2846 : Arthur Gerkis, miaubiz

CVE-2011-2847 : miaubiz, Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2011-2854 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2011-2855 : Arthur Gerkis, wushi of team509 working with iDefense VCP

CVE-2011-2857 : miaubiz

CVE-2011-2860 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2011-2866 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2011-2867 : Dirk Schulze

CVE-2011-2868 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2011-2869 : Cris Neckar of Google Chrome Security Team using AddressSanitizer

CVE-2011-2870 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2011-2871 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2011-2872 : Abhishek Arya (Inferno) and Cris Neckar of Google Chrome Security Team using AddressSanitizer

CVE-2011-2873 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2011-2877 : miaubiz

CVE-2011-3885 : miaubiz

CVE-2011-3888 : miaubiz

CVE-2011-3897 : pa_kt working with TippingPoint's Zero Day Initiative

CVE-2011-3908 : Aki Helin of OUSPG

CVE-2011-3909 : Google Chrome Security Team (scarybeasts) and Chu

CVE-2011-3928 : wushi of team509 working with TippingPoint's Zero Day Initiative

CVE-2012-0591 : miaubiz, and Martin Barbella

CVE-2012-0592 : Alexander Gavrun working with TippingPoint's Zero Day Initiative

CVE-2012-0593 : Lei Zhang of the Chromium development community

CVE-2012-0594 : Adam Klein of the Chromium development community

CVE-2012-0595 : Apple

CVE-2012-0596 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0597 : miaubiz

CVE-2012-0598 : Sergey Glazunov

CVE-2012-0599 : Dmytro Gorbunov of SaveSources.com

CVE-2012-0600 : Marshall Greenblatt, Dharani Govindan of Google Chrome, miaubiz, Aki Helin of OUSPG

CVE-2012-0601 : Apple

CVE-2012-0602 : Apple

CVE-2012-0603 : Apple

CVE-2012-0604 : Apple

CVE-2012-0605 : Apple

CVE-2012-0606 : Apple

CVE-2012-0607 : Apple

CVE-2012-0608 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0609 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0610 : miaubiz, Martin Barbella using AddressSanitizer

CVE-2012-0611 : Martin Barbella using AddressSanitizer

CVE-2012-0612 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0613 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0614 : miaubiz, Martin Barbella using AddressSanitizer

CVE-2012-0615 : Martin Barbella using AddressSanitizer

CVE-2012-0616 : miaubiz

CVE-2012-0617 : Martin Barbella using AddressSanitizer

CVE-2012-0618 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0619 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0620 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0621 : Martin Barbella using AddressSanitizer

CVE-2012-0622 : Dave Levin and Abhishek Arya of the Google Chrome Security Team

CVE-2012-0623 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0624 : Martin Barbella using AddressSanitizer

CVE-2012-0625 : Martin Barbella

CVE-2012-0626 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0627 : Apple

CVE-2012-0628 : Slawomir Blazek, miaubiz, Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0629 : Abhishek Arya (Inferno) of Google Chrome Security Team

CVE-2012-0630 : Sergio Villar Senin of Igalia

CVE-2012-0631 : Abhishek Arya (Inferno) of Google Chrome Security Team

CVE-2012-0632 : Cris Neckar of the Google Chrome Security Team using AddressSanitizer

CVE-2012-0633 : Apple

CVE-2012-0635 : Julien Chaffraix of the Chromium development community, Martin Barbella using AddressSanitizer

CVE-2012-0636 : Jeremy Apthorp of Google, Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0637 : Apple

CVE-2012-0638 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0639 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer

CVE-2012-0648 : Apple

  • WebKit

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, OS X Lion Server v10.7.3, Windows 7, Vista, XP SP2 or later

Impact: Cookies may be set by third-party sites, even when Safari is configured to block them

Description: An issue existed in the enforcement of its cookie policy. Third-party websites could set cookies if the "Block Cookies" preference in Safari was set to the default setting of "From third parties and advertisers".

CVE-ID

CVE-2012-0640 : nshah

  • WebKit

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, OS X Lion Server v10.7.3, Windows 7, Vista, XP SP2 or later

Impact: HTTP authentication credentials may be inadvertently disclosed to another site

Description: If a site uses HTTP authentication and redirects to another site, the authentication credentials may be sent to the other site.

CVE-ID

CVE-2012-0647 : an anonymous researcher

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: