About the security content of Safari 6.0.1

Learn about the security content of Safari 6.0.1.

This document describes the security content of Safari 6.0.1.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".

Safari 6.0.1

Note: For OS X Mountain Lion systems, Safari 6.0.1 is included with OS X Mountain Lion v10.8.2.

• Safari

  Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1

  Impact: Opening a maliciously crafted downloaded HTML document may lead to the disclosure of local file content

  Description: In OS X Mountain Lion HTML files were removed from the unsafe type list. Quarantined HTML documents are opened in a safe mode that prevents accessing other local or remote resources. A logic error in Safari's handling of the Quarantine attribute caused the safe mode not to be triggered on Quarantined files. This issue was addressed by properly detecting the existence of the Quarantine attribute.

  CVE-ID

  CVE-2012-3713 : Aaron Sigel of vtty.com, Masahiro Yamada

• Safari

  Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1

  Impact: Using Autofill on a maliciously crafted website may lead to the disclosure of contact information

  Description: A rare condition existed in the handling of Form Autofill. Using Form Autofill on a maliciously crafted website may have led to disclosure of information from the Address Book "Me" card that was not included in the Autofill popover. This issue was addressed by limiting Autofill to the fields contained in the popover.

  CVE-ID

  CVE-2012-3714 : Jonathan Hogervorst of Buzzera

• Safari

  Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1

  Impact: After editing a HTTPS URL in the address bar, a request may be unexpectedly sent over HTTP

  Description: A logic issue existed in the handling of HTTPS URLs in the address bar. If a portion of the address was edited by pasting text, the request may be unexpectedly sent over HTTP. This issue was addressed by improved handling of HTTPS URLs.

  CVE-ID

  CVE-2012-3715 : Aaron Rhoads of East Watch Services LLC, Pepi Zawodsky

• WebKit

  Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1

  Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

  Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.

  CVE-ID

  CVE-2011-3105 : miaubiz

  CVE-2012-2817 : miaubiz

  CVE-2012-2818 : miaubiz

  CVE-2012-2829 : miaubiz

  CVE-2012-2831 : miaubiz

  CVE-2012-2842 : miaubiz

  CVE-2012-2843 : miaubiz

  CVE-2012-3598 : Apple Product Security

  CVE-2012-3601 : Martin Barbella of the Google Chrome Security Team using AddressSanitizer

  CVE-2012-3602 : miaubiz

  CVE-2012-3606 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3607 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3612 : Skylined of the Google Chrome Security Team

  CVE-2012-3613 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3614 : Yong Li of Research In Motion, Inc.

  CVE-2012-3616 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3617 : Apple Product Security

  CVE-2012-3621 : Skylined of the Google Chrome Security Team

  CVE-2012-3622 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3623 : Skylined of the Google Chrome Security Team

  CVE-2012-3624 : Skylined of the Google Chrome Security Team

  CVE-2012-3632 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3643 : Skylined of the Google Chrome Security Team

  CVE-2012-3647 : Skylined of the Google Chrome Security Team

  CVE-2012-3648 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3649 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team

  CVE-2012-3651 : Abhishek Arya and Martin Barbella of the Google Chrome Security Team

  CVE-2012-3652 : Martin Barbella of Google Chrome Security Team

  CVE-2012-3654 : Skylined of the Google Chrome Security Team

  CVE-2012-3657 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3658 : Apple

  CVE-2012-3659 : Mario Gomes of netfuzzer.blogspot.com, Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3660 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3671 : Skylined and Martin Barbella of the Google Chrome Security Team

  CVE-2012-3672 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3673 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3675 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3676 : Julien Chaffraix of the Chromium development community

  CVE-2012-3677 : Apple

  CVE-2012-3684 : kuzzcc

  CVE-2012-3685 : Apple Product Security

  CVE-2012-3687 : kuzzcc

  CVE-2012-3688 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3692 : Skylined of the Google Chrome Security Team, Apple Product Security

  CVE-2012-3699 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3700 : Apple Product Security

  CVE-2012-3701 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3702 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3703 : Apple Product Security

  CVE-2012-3704 : Skylined of the Google Chrome Security Team

  CVE-2012-3705 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3706 : Apple Product Security

  CVE-2012-3707 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2012-3708 : Apple

  CVE-2012-3709 : Apple Product Security

  CVE-2012-3710 : James Robinson of Google

  CVE-2012-3711 : Skylined of the Google Chrome Security Team

  CVE-2012-3712 : Abhishek Arya (Inferno) of the Google Chrome Security Team