Safari 4.0.5

Door redactie op 15 maart 2010 - 16:03

Safari 4.0.5 is voornamelijk een beveiligingsupdate voor Apples browser. Zo worden maar liefst zestien lekken in Safari 4.0.5 dichtgeplakt. Verder zijn de stabiliteit van enkele plugins en de weergave van websites met SVG vergroot en zijn de prestaties van Top Sites verbeterd. Ook is een probleem opgelost waardoor Safari veranderingen in de instellingen van Linksys-routers blokkeerde.

De opgeloste beveiligingslekken worden door Secunia als kritiek beoordeeld. Negen zitten in de onderliggende Webkit-engine die Apple gebruikt als motor voor Safari. Vier in de verwerking van afbeeldingen door Apples browser. Zes van de zestien lekken hebben trouwens alleen betrekking op de Windows-versie van Safari. De overige tien spelen zowel onder Windows als Mac OS X op.

Release notes:

  • Performance improvements for Top Sites
  • Stability improvements for 3rd-party plug-ins
  • Stability improvements for websites with online forms and Scalable Vector Graphics
  • Fixes an issue that prevented Safari from changing settings on some Linksys routers

Opgeloste beveiligingslekken:

  • ColorSync

    CVE-ID: CVE-2010-0040

    Available for: Windows 7, Vista, XP

    Impact: Viewing a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution

    Description: An integer overflow that could result in a heap buffer overflow exists in the handling of images with an embedded color profile. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution. The issue is addressed by performing additional validation of color profiles. This issue does not affect Mac OS X systems. Credit to Sebastien Renaud of VUPEN Vulnerability Research Team for reporting this issue.

  • ImageIO

    CVE-ID: CVE-2009-2285

    Available for: Windows 7, Vista, XP

    Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2010-001.

  • ImageIO

    CVE-ID: CVE-2010-0041

    Available for: Windows 7, Vista, XP

    Impact: Visiting a maliciously crafted website may result in sending data from Safari's memory to the website

    Description: An uninitialized memory access issue exists in ImageIO's handling of BMP images. Visiting a maliciously crafted website may result in sending data from Safari's memory to the website. This issue is addressed through improved memory handling and additional validation of BMP images. Credit to Matthew 'j00ru' Jurczyk of Hispasec for reporting this issue.

  • ImageIO

    CVE-ID: CVE-2010-0042

    Available for: Windows 7, Vista, XP

    Impact: Visiting a maliciously crafted website may result in sending data from Safari's memory to the website

    Description: An uninitialized memory access issue exists in ImageIO's handling of TIFF images. Visiting a maliciously crafted website may result in sending data from Safari's memory to the website. This issue is addressed through improved memory handling and additional validation of TIFF images. Credit to Matthew 'j00ru' Jurczyk of Hispasec for reporting this issue.

  • ImageIO

    CVE-ID: CVE-2010-0043

    Available for: Windows 7, Vista, XP

    Impact: Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in the handling of TIFF images. Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling. Credit to Gus Mueller of Flying Meat for reporting this issue.

  • PubSub

    CVE-ID: CVE-2010-0044

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP

    Impact: Visiting or updating a feed may result in a cookie being set, even if Safari is configured to block cookies

    Description: An implementation issue exists in the handling of cookies set by RSS and Atom feeds. Visiting or updating a feed may result in a cookie being set, even if Safari is configured to block cookies via the "Accept Cookies" preference. This update addresses the issue by respecting the preference while updating or viewing feeds.

  • Safari

    CVE-ID: CVE-2010-0045

    Available for: Windows 7, Vista, XP

    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

    Description: An issue in Safari's handling of external URL schemes may cause a local file to be opened in response to a URL encountered on a web page. Visiting a maliciously crafted website may lead to arbitrary code execution. This update addresses the issue through improved validation of external URLs. This issue does not affect Mac OS X systems. Credit to Billy Rios and Microsoft Vulnerability Research (MSVR) for reporting this issue.

  • WebKit

    CVE-ID: CVE-2010-0046

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in WebKit's handling of CSS format() arguments. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of CSS format() arguments. Credit to Robert Swiecki of Google Inc. for reporting this issue.

  • WebKit

    CVE-ID: CVE-2010-0047

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A use-after-free issue exists in the handling of HTML object element fallback content. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative, for reporting this issue.

  • WebKit

    CVE-ID: CVE-2010-0048

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A use-after-free issue exists in WebKit's parsing of XML documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking.

  • Webkit

    CVE-ID: CVE-2010-0049

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A use-after-free issue exists in the handling of HTML elements containing right-to-left displayed text. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi&Z of team509 for reporting this issue.

  • WebKit

    CVE-ID: CVE-2010-0050

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A use-after-free issue exists in WebKit's handling of incorrectly nested HTML tags. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi&Z of team509 working with TippingPoint's Zero Day Initiative for reporting this issue.

  • WebKit

    CVE-ID: CVE-2010-0051

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP

    Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information

    Description: An implementation issue exists in WebKit's handling of cross-origin stylesheet requests. Visiting a maliciously crafted website may disclose the content of protected resources on another website. This update addresses the issue by performing additional validation on stylesheets that are loaded during a cross-origin request.

  • WebKit

    CVE-ID: CVE-2010-0052

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A use-after-free issue exists in WebKit's handling of callbacks for HTML elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit: Apple.

  • WebKit

    CVE-ID: CVE-2010-0053

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A use-after-free issue exists in the rendering of content with a CSS display property set to 'run-in'. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue.

  • WebKit

    CVE-ID: CVE-2010-0054

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A use-after-free issue exists in WebKit's handling of HTML image elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit: Apple.

Download: 

Download Safari 4.0.5

Bron: 

Apple

  • 2307 keer gelezen

Reageren

Meer informatie over tekstopmaak

Plain text

  • Toegelaten HTML-tags: <em> <strong> <br> <p>
  • Adressen van webpagina's en e-mailadressen worden automatisch naar links omgezet.
  • Regels en paragrafen worden automatisch gesplitst.
Verplichte controlevraag
Om spam tegen te houden
n_derland