Cupertino-based software developer Apple has rolled out an update for its web browser, Safari 4.0.2. This update is meant to improve the stability of the Nitro JavaScript engine according to Apple, and it is also meant to address a couple of security holes in the software. You are very well advised to update your Safari browser – you can do so via Software Update, or by manually downloading Safari 4.0.2 (download location at the bottom of the article).
As a little reminder, Apple rolled out Safari 4.0.1 less than a month ago. The update was meant to fix some compatibility issues between Safari and iPhone 09. Compared to the previous update, version 4.0.2 comes with a bit more grunt: it makes the Nitro JavaScript engine a bit more stable and fixes two vulnerabilities that might put your online security at risk – one may allow cross-site scripting attacks and the other might allow arbitrary code execution.
Here is a more detailed look at the security issues the Safari 4.0.2 update addresses:
CVE-ID: CVE-2009-1724
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: An issue in WebKit's handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.
CVE-ID: CVE-2009-1725
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.
If you would like to get Safari 4.0.2, you can download it straight from Apple here.
As a little reminder, Apple rolled out Safari 4.0.1 less than a month ago. The update was meant to fix some compatibility issues between Safari and iPhone 09. Compared to the previous update, version 4.0.2 comes with a bit more grunt: it makes the Nitro JavaScript engine a bit more stable and fixes two vulnerabilities that might put your online security at risk – one may allow cross-site scripting attacks and the other might allow arbitrary code execution.
Here is a more detailed look at the security issues the Safari 4.0.2 update addresses:
CVE-ID: CVE-2009-1724
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: An issue in WebKit's handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.
CVE-ID: CVE-2009-1725
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.
If you would like to get Safari 4.0.2, you can download it straight from Apple here.