With all eyes turned to Apple’s Worldwide Developers Conference in anticipation of the iPhone 3G S announcement, many will miss the release of Safari 4 for Mac OS and Windows. The headlines for Safari 4 include: “Browsing made beautiful. And smart.” “See the Web in a Whole New Way!” and “The World’s Fastest Browser” (a little challenge directed to Google Chrome here?) One thing left out of the headlines? Over 45 vulnerabilities closed in this update!
A quick count shows that about 35 vulnerabilities were closed that affected both Mac OS and Windows versions of Safari, and at least 10 were Windows only (none were Mac OS only.) The very large majority of these vulnerabilities are classified as “Arbitrary code execution” the worst kind. Here are some example “impact” statements direct from Apple’s notification:
Impact: Downloaded image files may be misidentified as HTML, leading to JavaScript execution without warning the user
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Impact: Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution
Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack
Impact: Unicode ideographic spaces may be used to spoof a website
So don’t let any iPhone 3.0 OS and the iPhone 3G S ogling and drooling distract you from looking very closely at the new Safari update! “Arbitrary code” may be in your future if you do…
