APPLE-SA-2010-03-11-1 Safari 4.0.5
Friday, March 12, 2010 at 06:49AM
drStrangeP0rk in Client, Mac OSX 10.5, Mac OSX 10.6, Safari, Server, Updates

Apple has released a security update to Safari to 4.0.5 to address 10 issues including zero -days related to ColorSync, ImageIO and WebKit. Six additional issues affect the windows version of Safari. 

One issue is related to bypassing the blocking of cookies even if Safari is set to block them when using PubSub. PubSub is used for feed handling, cookies set by RSS and Atom feeds would be accepted even if Safari is set to block them. This implementation error has been corrected. Some of the vulnerabilities in WebKit center around the handling of CSS, HTML handling and XML documents resulting in memory corruption which can result in malicious code execution or application DOS.  One such vulnerability related to the handling of CSS format () arguments resulting in application DOS and malicious code execution is addressed with better memory tracking. Other issues include the handling of HTML element callback content, handling of right-to-left display text, use after free handling of incorrectly nested HTML tags and parsing of XML documents. Again, these WebKit issues are addressed by improving memory reference tracking. 

There are also a host of improvements in the handling of 3rd party plug-ins, stability improvements for Web sites that use forms, stability improvements in the handling of Scalable Vector Graphics and fixing an issue related to iWork.com users being unable to comment on documents. The installation does require a restart of the system and is critical, users should not surf the Web with Safari until this update is installed. 

Article originally appeared on magmatic.com (http://www.magmatic.com/).
See website for complete article licensing information.