Apple on Tuesday patched code execution and cross-site scripting vulnerabilities on Tiger, Leopard, Vista and XP in a Safari update that included 13 patches.
Apple historically has delivered patches along with new feature or software updates. It's easy to miss the security angle among the new Safari hubbub (Techmeme). Here's a look at the vulnerabilities Apple plugged with its latest update.
CVE-2008-1010: This update is for Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista and addresses problems with Webkit. The problem: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution, says Apple. As for the details:
CVE-2008-1011: This patch addressed a cross scripting vulnerability in Webkit. The update is available for Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. Apple notes: A cross-site scripting issue in WebKit allows method instances from one frame to be called in the context of another frame. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information. This update addresses the issue through improved handling of cross-domain method calls. Credit to David Bloom for reporting this issue."
Other CVEs were all variations on the same cross-scripting theme. By product and CVE number:
Webcore (CVE-2008-1003, CVE-2008-1004, CVE-2008-1005, CVE-2008-1006, CVE-2008-1007, CVE-2008-1008, CVE-2008-1009): These updates address cross-scripting vulnerabilities of various flavors on Leopard, Tiger, XP and Vista.