About the security content of Safari 4.0.3

This document describes the security content of Safari 4.0.3.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Safari 4.0.3

  • CoreGraphics

    CVE-ID: CVE-2009-2468

    Available for: Windows XP and Vista

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow exists in the drawing of long text strings. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Will Drewry of Google Inc for reporting this issue.

  • ImageIO

    CVE-ID: CVE-2009-2188

    Available for: Windows XP and Vista

    Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow exists in the handling of EXIF metadata. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

  • Safari

    CVE-ID: CVE-2009-2196

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista

    Impact: A maliciously crafted website may be promoted into Safari's Top Sites view

    Description: Safari 4 introduced the Top Sites feature to provide an at-a-glance view of a user's favorite websites. It is possible for a malicious website to promote arbitrary sites into the Top Sites view through automated actions. This could be used to facilitate a phishing attack. This issue is addressed by preventing automated website visits from affecting the Top Sites list. Only websites that the user visits manually can be included in the Top Sites list. As a note, Safari enables fraudulent site detection by default. Since the introduction of the Top Sites feature, fraudulent sites are not displayed in the Top Sites view. Credit to Inferno of SecureThoughts.com for reporting this issue.

  • WebKit

    CVE-ID: CVE-2009-2195

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow exists in WebKit's parsing of floating point numbers. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple.

  • WebKit

    CVE-ID: CVE-2009-2200

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista

    Impact: Visiting a maliciously crafted website and clicking "Go" when viewing a malicious plug-in dialog may lead to the disclosure of sensitive information

    Description: WebKit allows the pluginspage attribute of the 'embed' element to reference file URLs. Clicking "Go" in the dialog that appears when an unknown plug-in type is referenced will redirect to the URL listed in the pluginspage attribute. This may allow a remote attacker to launch file URLs in Safari, and lead to the disclosure of sensitive information. This update addresses the issue by restricting the pluginspage URL scheme to http or https. Credit to Alexios Fakos of n.runs AG for reporting this issue.

  • WebKit

    CVE-ID: CVE-2009-2199

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista

    Impact: Look-alike characters in a URL could be used to masquerade a website

    Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by supplementing WebKit's list of known look-alike characters. Look-alike characters are rendered in Punycode in the address bar. Credit to Chris Weber of Casaba Security, LLC for reporting this issue.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.

Published Date: