Apple + Security & Privacy

Apple Plugs Six Holes in Safari Update

Posted on August 12th, 2009 by

Apple has issued a security update for the Safari web browser, with six vulnerabilities being patched. Two of these are for Windows versions of the software, and the others are for both Mac and Windows versions. One of the bugs involves the program's Top Sites feature:

It is possible for a malicious website to promote arbitrary sites into the Top Sites view through automated actions. This could be used to facilitate a phishing attack.

Another involves "look-alike" characters; these are characters in extended character sets that strongly resemble other characters. For example, the digit "1" looks like the letter "l" in many fonts; there are many other characters in extended character sets that show similarities to common letters:

The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by supplementing WebKit's list of known look-alike characters.

Users can download the new version of Safari from Software Update, or by going here. More information about the update can be found here.

Comments are closed.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}