Apple fixes 'highly critical' Safari bugs

The update, affecting both Windows and Mac OS X, includes patches for 12 flaws that could let an attacker take over a user's system
Written by Matthew Broersma, Contributor

Apple has released a set of fixes for 16 bugs in the Safari browser, including 12 that could allow an attacker to execute malicious code on a user's system.

The security flaws fixed in the Thursday update, Safari 4.0.5, were ranked as "highly critical" by independent security firm Secunia.

The vulnerabilities mainly affect the imaging framework ImageIO and the WebKit browser rendering engine, Apple said. Two of the ImageIO bugs could allow an outsider to run malicious code on a victim's system, while another two could allow a malicious website to cause data from Safari's memory to be disclosed to that site.

Another nine bugs affect WebKit, which is also used for rendering in Google's Chrome and Android, Palm's WebOS and the web browser for Nokia S60 smartphones. Eight of the WebKit flaws in Safari open systems up to malicious code execution, according to Apple.

Six of the vulnerabilities — a flaw in ColorSync, four of the ImageIO bugs and a flaw in the handling of external URL schemes — affect only the Windows platform, while the other 10 affect both Windows and Mac OS X, Apple said.

Safari controls about 4.5 percent of the browser market, according to usage figures released last month by Net Applications, and is also the browser integrated into more than 75 million iPhone OS devices. In September, Apple issued patches for WebKit flaws that affected the iPhone operating system.

Editorial standards