Apple fixes Snow Leopard and Safari vulnerabilities

The company has issued security updates to fix vulnerabilities that could allow an attacker to intercept sensitive user information

Apple has released security updates for its Safari web browser and Snow Leopard operating system, fixing vulnerabilities that potentially allowed an attacker to intercept sensitive user information.

The Snow Leopard OS update — Security Update 2011-002 —  is available for Mac OS X and Mac OS X Server versions 10.5.8 and 10.6.7. It is designed to fix a vulnerability that could allow an attacker "in a privileged network position" to intercept sensitive personal information and credentials sent via a web browser, Apple said on Thursday.

"Several fraudulent SSL certificates were issued by a Comodo affiliate registration authority. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information," Apple wrote on its support pages. "This issue is addressed by blacklisting the fraudulent certificates."

For Windows Safari users, applying the update in Microsoft Knowledge Base Article 2524375 will cause Safari to view the certificates as invalid.

The Safari 5.0.5 update, also issued on Thursday, closes two holes in the WebKit browser across the Mac and Windows platforms.

Apple said the vulnerabilities could have been exploited when visiting a malicious website, leading to the execution of arbitrary code or applications terminating unexpectedly.

Apple recommended that all Safari and Mac OS X users update the software. New versions can be obtained directly from the Apple website, or via the update mechanism in OS X and Safari. OS X users who have not installed previously issued security updates will get them as a part of this latest release.

Also on Thursday, Apple issued an update to iOS 4.3.2 to address the Safari SSL certificate vulnerability, and fix a number of bugs. 

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.