Apple Releases Safari 5.0.2 with Bug Fixes, Security Patches

| Product News

Apple updated Safari to version 5.0.2 for Mac and Windows Tuesday, an update that includes both bug fixes and security patches for the company’s Web browser. The update also adds an encrypted connection for users visiting the company’s Safari Extension Gallery, a gallery of third party Safari Extensions.

The company also updated Safari 4 to version 4.1.2 with the same security enhancements included in version 5.0.2.

The patch notes for the update are:

  • Fixes an issue that could prevent users from submitting web forms
  • Fixes an issue that could cause web content to display incorrectly when viewing a Google Image result with Flash 10.1 installed
  • Establishes an encrypted, authenticated connection to the Safari Extensions Gallery

The security notes for the update specify the following fixes for both Safari and the Webkit rendering engine at the heart of the browser:

Safari
CVE-ID: CVE-2010-1805
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a file in a directory that is writable by other users may lead to arbitrary code execution
Description: A search path issue exists in Safari. When displaying the location of a downloaded file, Safari launches Windows Explorer without specifying a full path to the executable. Launching Safari by opening a file in a specific directory will include that directory in the search path. Attempting to reveal the location of a downloaded file may execute an application contained in that directory, which may lead to arbitrary code execution. This issue is addressed by using an explicit search path when launching Windows Explorer. This issue does not affect Mac OS X systems. Credit to Simon Raner of ACROS Security for reporting this issue.

WebKit
CVE-ID: CVE-2010-1807
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
Description: An input validation issue exists in WebKit’s handling of floating point data types. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of floating point values. Credit to Luke Wagner of Mozilla for reporting this issue.

WebKit
CVE-ID: CVE-2010-1806
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
Description: A use after free issue exists in WebKit’s handling of elements with run-in styling. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of object pointers. Credit to wushi of team509, working with TippingPoint’s Zero Day Initiative for reporting this issue.

Mac users can download the update through Software Update, while Windows users can use the Apple Updater utility. The update is also available on Apple’s Safari download page. It’s a 39.2MB download for Mac OS X.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

popbunka

Great! I hope this helps with all the spinning beach balls I’ve been getting in Safari…

MacKeeper_fan_Mod

“Fixes an issue that could prevent users from submitting web forms”

Does anyone know more about this? I’ve been submitting applications for employment via web forms in Safari. They seemed to work okay, but I’d hate to find out that they weren’t showing up properly to employers all this time!!!

Log-in to comment