This document describes the security content of Safari 6.0.1.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates".
Safari 6.0.1
Note: For OS X Mountain Lion systems, Safari 6.0.1 is included with OS X Mountain Lion v10.8.2.
-
Safari
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1
Impact: Opening a maliciously crafted downloaded HTML document may lead to the disclosure of local file content
Description: In OS X Mountain Lion HTML files were removed from the unsafe type list. Quarantined HTML documents are opened in a safe mode that prevents accessing other local or remote resources. A logic error in Safari's handling of the Quarantine attribute caused the safe mode not to be triggered on Quarantined files. This issue was addressed by properly detecting the existence of the Quarantine attribute.
CVE-ID
CVE-2012-3713 : Aaron Sigel of vtty.com, Masahiro Yamada
-
Safari
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1
Impact: Using Autofill on a maliciously crafted website may lead to the disclosure of contact information
Description: A rare condition existed in the handling of Form Autofill. Using Form Autofill on a maliciously crafted website may have led to disclosure of information from the Address Book "Me" card that was not included in the Autofill popover. This issue was addressed by limiting Autofill to the fields contained in the popover.
CVE-ID
CVE-2012-3714 : Jonathan Hogervorst of Buzzera
-
Safari
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1
Impact: After editing a HTTPS URL in the address bar, a request may be unexpectedly sent over HTTP
Description: A logic issue existed in the handling of HTTPS URLs in the address bar. If a portion of the address was edited by pasting text, the request may be unexpectedly sent over HTTP. This issue was addressed by improved handling of HTTPS URLs.
CVE-ID
CVE-2012-3715 : Aaron Rhoads of East Watch Services LLC, Pepi Zawodsky
-
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3105 : miaubiz
CVE-2012-2817 : miaubiz
CVE-2012-2818 : miaubiz
CVE-2012-2829 : miaubiz
CVE-2012-2831 : miaubiz
CVE-2012-2842 : miaubiz
CVE-2012-2843 : miaubiz
CVE-2012-3598 : Apple Product Security
CVE-2012-3601 : Martin Barbella of the Google Chrome Security Team using AddressSanitizer
CVE-2012-3602 : miaubiz
CVE-2012-3606 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3607 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3612 : Skylined of the Google Chrome Security Team
CVE-2012-3613 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3614 : Yong Li of Research In Motion, Inc.
CVE-2012-3616 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3617 : Apple Product Security
CVE-2012-3621 : Skylined of the Google Chrome Security Team
CVE-2012-3622 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3623 : Skylined of the Google Chrome Security Team
CVE-2012-3624 : Skylined of the Google Chrome Security Team
CVE-2012-3632 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3643 : Skylined of the Google Chrome Security Team
CVE-2012-3647 : Skylined of the Google Chrome Security Team
CVE-2012-3648 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3649 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team
CVE-2012-3651 : Abhishek Arya and Martin Barbella of the Google Chrome Security Team
CVE-2012-3652 : Martin Barbella of Google Chrome Security Team
CVE-2012-3654 : Skylined of the Google Chrome Security Team
CVE-2012-3657 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3658 : Apple
CVE-2012-3659 : Mario Gomes of netfuzzer.blogspot.com, Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3660 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3671 : Skylined and Martin Barbella of the Google Chrome Security Team
CVE-2012-3672 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3673 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3675 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3676 : Julien Chaffraix of the Chromium development community
CVE-2012-3677 : Apple
CVE-2012-3684 : kuzzcc
CVE-2012-3685 : Apple Product Security
CVE-2012-3687 : kuzzcc
CVE-2012-3688 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3692 : Skylined of the Google Chrome Security Team, Apple Product Security
CVE-2012-3699 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3700 : Apple Product Security
CVE-2012-3701 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3702 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3703 : Apple Product Security
CVE-2012-3704 : Skylined of the Google Chrome Security Team
CVE-2012-3705 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3706 : Apple Product Security
CVE-2012-3707 : Abhishek Arya (Inferno) of the Google Chrome Security Team
CVE-2012-3708 : Apple
CVE-2012-3709 : Apple Product Security
CVE-2012-3710 : James Robinson of Google
CVE-2012-3711 : Skylined of the Google Chrome Security Team
CVE-2012-3712 : Abhishek Arya (Inferno) of the Google Chrome Security Team