Apple unveils Safari Extensions Gallery for extensions, updates for security

With the introduction of Safari 5 and its support of an extension architecture, Apple finally filled a gap its browser's feature list. With the release on Wednesday of Version 5.0.1, it adds a link to Safari Extensions Gallery, a page promoting the new add-ons.

In addition, Apple released security updates for Safari 5 (Mac and Windows) and Safari 4.1 for Mac OS X Tiger.

The link to the Safari Extensions Gallery is found under the Safari menu item on the Mac. Safari 5.0.1 lets users download and install extensions from the Safari Extensions Gallery on Apple's website or directly from a developer's site, the company said.

The Safari Extensions Gallery is accessible from the Safari menu or at extensions.apple.com. Users can download and install extensions from the gallery with a single click, and there’s no need to restart the browser. Extensions can be automatically updated and are easily managed within Safari. Users can enable or disable individual extensions, or turn off all extensions with one click.

Safari Extensions are built with HTML5, CSS3 and JavaScript web standards, and can have all the power and functionality of advanced web applications. Every Safari Extension is signed with a digital certificate from Apple to prevent tampering and to verify that updates to the extension are from the original developer. Safari Extensions are sandboxed, so they can’t access information on a user’s system or communicate with websites aside from those specified by the developer. For increased stability, Safari Extensions run solely in the browser.

The Safari Gallery is broken down into categories, including News, Shopping, Search Tools, Social Networking, Entertainment, Productivity, Bookmarking, Security, RSS Tools, Twitter Tools, Translation, URL Shorteners, Email, Photos, Developer and Other.

The Safari Gallery page design is more like the iTunes Store, offering a top well that promotes a half dozen extensions and followed by category listings. It's much more developer friendly than the Dashboard widget promo page.

Check Out:  Safari 5.0 extensions on parade

Meanwhile, Apple on Wed. released security updates for Safari 5 and Safari 4.1 for Mac OS X Tiger. The update appears to plug among others, an Autofill hole and a number of WebKit memory holes the discovery of which were credited to wushi of team509, working with TippingPoint's Zero Day Initiative.

Description: Safari's AutoFill feature can automatically fill out web forms using designated information in your Mac OS X Address Book, Outlook, or Windows Address Book.  By design, user action is required for AutoFill to operate within a web form. An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction. This can result in the disclosure of information contained within the user's Address Book Card.

To trigger the issue, the following two situations are required. First, in Safari Preferences, under AutoFill, the "Autofill web forms using info from my Address Book card" checkbox must be selected. Second, the user's Address Book must have a Card designated as "My Card". Only the information in that specific card is accessed via AutoFill. This issue is addressed by prohibiting AutoFill from using information without user action. Devices running iOS are not affected. Credit to Jeremiah Grossman of WhiteHat Security for reporting this issue.