« T-Mobile erhöht iPhone-Gerätepreise in den kleinsten Tarifen ab dem 15. August | Start | AirPort-Patch gegen WLAN-Probleme spezifischer MacBook- und MBP-Modelle mit Mac OS X 10.5.8 »
11.08.2009
Safari 4.0.3 veröffentlicht
Safari 4.0.3 "enthält Verbesserungen der Stabilität, Kompatibilität und Sicherheit, einschließlich: Stabilitätsverbesserungen für Websites, die das HTML 5 Video-Tag enthalten; Behebung eines Fehlers, aufgrund dessen sich einige Benutzer nicht bei iWork.com anmelden konnten; Behebung eines Fehlers, aufgrund dessen Webinhalte schwarzweiß anstatt farbig dargestellt werden". Safari 4.0.3 ist gut 40 Megabyte groß und erfordert einen anschließenden Neustart, das Update schließt außerdem mehrere Sicherheitslücken. (Danke an memo und alle weiteren Tippgeber!)
CoreGraphics
CVE-ID: CVE-2009-2468
Available for: Windows XP and Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the drawing of long
text strings. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit
to Will Drewry of Google Inc for reporting this issue.
ImageIO
CVE-ID: CVE-2009-2188
Available for: Windows XP and Vista
Impact: Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of EXIF
metadata. Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking.
Safari
CVE-ID: CVE-2009-2196
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Windows XP and Vista
Impact: A maliciously crafted website may be promoted into Safari's
Top Sites view
Description: Safari 4 introduced the Top Sites feature to provide an
at-a-glance view of a user's favorite websites. It is possible for a
malicious website to promote arbitrary sites into the Top Sites view
through automated actions. This could be used to facilitate a
phishing attack.
This issue is addressed by preventing automated website visits
from affecting the Top Sites list. Only websites that the
user visits manually can be included in the Top Sites list. As a
note, Safari enables fraudulent site detection by default. Since the
introduction of the Top Sites feature, fraudulent sites are not
displayed in the Top Sites view. Credit to Inferno of
SecureThoughts.com for reporting this issue.
WebKit
CVE-ID: CVE-2009-2195
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in WebKit's parsing of
floating point numbers. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit: Apple.
WebKit
CVE-ID: CVE-2009-2200
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Visiting a maliciously crafted website and clicking "Go"
when viewing a malicious plug-in dialog may lead to the disclosure of
sensitive information
Description: WebKit allows the pluginspage attribute of the 'embed'
element to reference file URLs. Clicking "Go" in the dialog that
appears when an unknown plug-in type is referenced will redirect to
the URL listed in the pluginspage attribute. This may allow a remote
attacker to launch file URLs in Safari, and lead to the disclosure of
sensitive information. This update addresses the issue by restricting
the pluginspage URL scheme to http or https. Credit to Alexios Fakos
of n.runs AG for reporting this issue.
WebKit
CVE-ID: CVE-2009-2199
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could be used to create a URL which contains
look-alike characters. These could be used in a malicious website to
direct the user to a spoofed site that visually appears to be a
legitimate domain. This update addresses the issue by supplementing
WebKit's list of known look-alike characters. Look-alike characters
are rendered in Punycode in the address bar. Credit to Chris Weber of
Casaba Security, LLC for reporting this issue.
Posted by Leo at 22:44 | Permalink
TrackBack
TrackBack-Adresse für diesen Eintrag:
https://www.typepad.com/services/trackback/6a00d83451c7b569e20120a4e629ec970b
Listed below are links to weblogs that reference Safari 4.0.3 veröffentlicht:
