Apple updates Safari with 11 security fixes

On Thursday, Apple released Safari 3.2. Although the update affects both Mac and Windows users, many of the Mac updates were provided in Apple's October update for Mac OS X users. The update includes eight fixes specific to Safari and three specific to Webkit.

Safari 3.2 is available via the Apple Software Update application, the Apple Software Downloads page, or Apple's Safari download site.

Safari-1
This patch affects Safari users on Windows XP or Vista. This update addresses multiple vulnerabilities in zlib 1.2.2 detailed within CVE-2005-2096. Apple credits Robbie Joosten of bioinformatics@school, and David Gunnells of the University of Alabama at Birmingham for reporting the vulnerabilities.

Safari-2
This patch affects users of Windows XP or Vista. This update addresses the security issue in the libxslt library detailed within CVE-2008-1767 in which processing an XML document may lead to an unexpected application termination or arbitrary code execution. Apple credits Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of the Google Security Team for finding the vulnerability.

Safari-3
This patch affects users of Windows XP or Vista. The update addresses the heap buffer overflow issue that exists in the CoreGraphics' handling of color spaces detailed within CVE-2008-3623 in which viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding the vulnerability.

Safari-4
This patch affects users of Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-2327 in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding the vulnerability.

Safari-5
This patch affects users of Windows XP or Vista. The update addresses the vulnerabilities detailed within CVE-2008-2332 in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Specifically, a memory corruption issue exists in ImageIO's handling of embedded ICC profiles in JPEG images. Apple credits Robert Swiecki of the Google Security Team for finding the vulnerability.

Safari-6
This patch affects users of Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-3608 in which viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding the vulnerability.

Safari-7
This patch affects users of Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-3642 in which viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding the vulnerability.

Safari-8
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, or Windows XP or Vista. The update addresses the vulnerabilities detailed within CVE-2008-3644 in which disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a local user. Apple credits an anonymous researcher for finding the vulnerability.

WebKit-1
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, or Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-2303 in which visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution. Apple credits SkyLined of Google for finding the vulnerability.

WebKit-2
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, and Windows XP or Vista. The update addresses the vulnerabilities detailed within CVE-2008-2317 in which visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution. Specifically, a memory corruption issue exists in WebCore's handling of style sheet elements. The issue has already been addressed in systems running Mac OS X v10.5.5. Apple credits the TippingPoint Zero Day Initiative for finding the vulnerability.

Webkit-3
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, and Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-4216 in which visiting a maliciously crafted Web site may lead to the disclosure of sensitive information. This update addresses the issue by restricting the types of URLs that may be launched via the plug-in interface. Apple credits Billy Rios of Microsoft, and Nitesh Dhanjani of Ernst & Young for finding this vulnerability.

[joetesta70]

LOL! Holes holes holes in apple products. Isn't this the second set of fixes Apple's had to release in just the last week?

I'm sure all 3 Safari users will be thrilled. Go Firefox!

[Perry_Clease]

Your right kid! It is the second set of security fixes this week, but it didn't take Apple 7 years to issue them.

GTFU

[ballmerisanape]

Yea.. you tell 'em. It's much better when a company doesn't fix problems until they are exploited.

[lkrupp]

Missing from the above C|net article is the additional fact that Safari 3.2 now includes an anti-phishing option in the Security preference panel.

[Penguinisto]

Question: Seven of the 11 fixes affect Windows only. Some of them are creepily familiar to the ones Microsoft recently patched for IE/Windows as well, and patched very near time-wise to each other. What kind of potential conflicts can one expect (on either end)?

/P

[Perry_Clease]

FireFox also issued a dozen patches today, which the Troll failed to mention.

[ferretboy88]

Try to tell me Quicktime is not a security nightmare. A hole is a hole.

[Penguinisto]

@Perry... yep. and IE has a pile as well that come out periodically (though those do get hidden very well, or the workaround/patch shows up in another link of the vector chain, like Core XML...)

[mbenedict]

@Penguinisto:

Nice try to spread FUD, but NONE of those seven vulnerabilities are Windows only. This particular update fixes them for Windows, but NONE of them are caused by Windows and ALL of them affect other systems as well (including Linux & OS X).

Of the seven fixes targeted for Windows:

* Four of them (Safari-1, Safari-2, Safari-4 and Safari-5) are vulnerabilities in Open Source libraries used by Safari, namely zlib, libxslt and libTIFF (for the last two). These bugs affect numerous systems including OS X and Linux. For OS X they were fixed as part of Security Updates 2008-006 and 2008-007.

* The other three (Safari-3, Safari-6, Safari-7) are vulnerabilities in Apple's own libraries. Safari-3 has the least disclosure but appears related to CVE-2008-2322 fixed in Security Update 2008-005. Safari-6 and Safari-7 were fixed for OS X as part of Security Updates 2008-006 and 2008-007, respectively.

[Penguinisto]

So tell us why Windows is the only listed OS as being vulnerable for seven of them? If it was as you say, then it would have said "All systems", or would have listed OSX, Linux, et al (BTW - there's no Safari for Linux out there, big guy ;) ).

On my Mac right now, I only have to worry about four of those, period (Safari-8 and the WebKit patches). Prove otherwise if you can - I honestly want you to.

While you and I (well, at least I) cannot access the source code for Windows to point at specifics, I can say that thanks to the proprietary and obfuscatory nature of Windows, there's little wonder that there would be more flaws for the Windows version of the affected code. And no, the code would not match between all systems as you insinuated - the OSes' individual API/hook structures prevent that.

/P

[Penguinisto]

PS: The question in that post you so eagerly bumbled into has yet to be answered ;)

[mbenedict]

@Penguinisto the Apple troll:

I know reading comprehension isn't your strong point, but please read my post again.

I'll try to spell it out again here in short sentences to help you out:

When Apple discovers a security issue, it doesn't always patch OS X and Windows at the same time. One set of patches are released for OS X. Another set of patches go in for Windows. Do you understand thus far?

Of the seven vulnerabilities you refer to, Apple released OS X patches for them as part of Apple OS X Security Updates 2008-5, 2008-6, and 2008-7.

For the same seven vulnerabilities, the Windows patches were delivered as part of Safari 3.2, the subject of this article.

If you still can't comprehend, I recommend hiring a tutor.

[ittesi259]

@mbenedict....you might help by citing your reference as the information you list is NOT in the article above.

Not saying I don't believe you, but if you are looking at another page (like an official Apple one) it might help Penguinisto if you cite it.

[mbenedict]

Aw, come on now ittesi259, the burden of proof is on Penguinisto's court, he's the one spreading FUD. Besides (as usual) I've already "pre-answered" followup questions if you read my posts carefully. As I often say to Penguinisto, "re-read my post".

Take for example the issue labeled "Safari-6" above, which Penguinisto claims to only affect Windows. The article states Safari-6 is a JPEG vulnerability identified as "CVE-2008-3608" (a reference to the "Common Vulnerability Database").

Here's an excerpt of what Apple says about CVS-2008-3608:

(from http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html)

CVE-ID: CVE-2008-3608
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, Mac OS X Server v10.5 through v10.5.4
Impact: Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution

Wow, look at that Penguinisto, contrary to your claim this security hole affects Mac OS and Mac OS Server too... just like I wrote.

And if you read the above link, it says the OS X patch for CVE-2008-3608 was part of "Security Update 2008-006"... just like I wrote.

I'll leave tracing the other six bugs as homework for Penguinisto. Hint: I've already provided enough details in my post so two seconds worth of Googling will confirm what I've written.

[ferretboy88]

Safari stinks. Quicktime looks like swiss cheese also.

[MafiaPenguin]

So apple isnt perfect anymore....

[ElDudde]

Apple never was perfect except in the minds of the Applelites who embrace Apple as a religion.

[ittesi259]

Not all Apple users are "Appleites"....considering I fully expect security patches regardless of who I use. I however expect them in a timely manner....not 7 years later because it might break something. That was ridiculous.

[mbenedict]

Oh, get off it. I can think of at least one serious remotely exploitable vulnerability Apple didn't fix for 7 years or so.

E.g., there was a longstanding bug in an AirPort card driver that Apple only fixed after being publicly shamed in the Month of Kernel Bugs, a few years after Apple stopped shipping said card.

[Ipopngraphics]

What IS perfect is the record of postings here at CNET by Apple bashers. They NEVER miss an article or news bit, or any other chance to sound off like 3rd graders who got chosen last for the kickball team (or not at all).

Cheese n rice my 14 year old has more intelligent conversations than this.

Grow up.

[monkeyfun14]

Oh cause Windows bashers never take the opportunity to say Windows is garbage at every article about it?

[Ipopngraphics]

Go and read the comments on a few articles about Windows.... and then come back and tell me how many bashings you see there from Apple users....

When you post your nasty comments in the Apple forums, you bet we are going to respond. But we don't "seek you out" just to bash Windows. We have better things to do.

[DrtyDogg]

wow, every article about windows I just looked at was filled with hate based comments. Look yourself. And where does this "we, you" stuff come from? It isn't a religion it is a tool.

[Ipopngraphics]

What you saw were PC users bashing Windows, not Mac users. Most Mac users don't even read Windows articles... why would we? We are busy using our computers, not trying to figure out how to fix them....

[AppleSuxLeo]

Apple went on a Safari...and came down with malaria !

[Ipopngraphics]

See reference to 3rd graders above. I think you just made my point... thank you.

[ittesi259]

SMB went for a stroll and 7 years later got a band aid.......

[ferretboy88]

Why would a guy named Penguin love Apple so much? They are closed source to the core. With Penguins its all about the free baby.

[MafiaPenguin]

I like Linux (but I decided that after I made my account!)

[jumpjetta]

Apple users beware. This update has made Safari very unstable for me on two of my machines. Sites such as Ebay and Flickr seem to crash the browser quite a bit. I have seen these complaints a number of other places.