Apple has issued a security update for the Safari web browser, with six vulnerabilities being patched. Two of these are for Windows versions of the software, and the others are for both Mac and Windows versions. One of the bugs involves the program’s Top Sites feature:
It is possible for a malicious website to promote arbitrary sites into the Top Sites view through automated actions. This could be used to facilitate a phishing attack.
Another involves “look-alike” characters; these are characters in extended character sets that strongly resemble other characters. For example, the digit “1″ looks like the letter “l” in many fonts; there are many other characters in extended character sets that show similarities to common letters:
The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by supplementing WebKit’s list of known look-alike characters.