Apple has issued a new round of patches to cover critical issues in its Safari browser.
All totaled, Apple plugged six security holes. Three of them cover problems in the browser’s Webkit engine, which also powers Google Chrome. Arguably the most serious of the Webkit issues is a buffer overflow vulnerability in the engine’s parsing of floating point numbers. If a user visits a malicious Web page, an attacker can exploit the situation to execute code on the compromised system, Apple warned in the advisory.
In addition to the Webkit bugs, there is a fix for a flaw tied to the Top Sites feature Apple introduced in Safari 4.0. Designed to provide users with thumbnails of sites they frequently surf, the feature can be abused by attackers to lure users to rogue sites.
“This issue is addressed by preventing automated Website visits from affecting the Top Sites list,” Apple officials wrote in the advisory. “Only Websites that the user visits manually can be included in the Top Sites list.”
Two of the fixes – one affecting the CoreGraphics component, the other ImageIO – are specifically aimed at Windows XP and Vista. Both vulnerabilities can be exploited via malicious sites, Apple warned in its advisory.
“It doesn’t matter whether you run Safari on a Mac OS X or Windows computers, it’s important that you apply these security patches detailed in a security advisory on Apple’s Website,” blogged Graham Cluley, senior technology consultant at Sophos.
Safari 4.0.3 for Windows or Mac is available for download here.