Apple patches critical Safari holes

Apple has made patches available for a number of critical security holes in its Safari web browser.

Apple published an advisory on Wednesday that dealt with multiple security vulnerabilities in Safari for Windows and for Mac, fixing them in Safari 5.1 and 5.06.

The advisory addressed at least 23 issues in Safari, and around 58 vulnerabilities. The holes mainly affect desktop Macs running Windows 7, Vista, XP SP2 or later. Flaws included cross-site scripting holes, and buffer and integer overflows that could lead to a hacker gaining control of the system. Two of the Safari issues affected Mac OS X and Mac OS X Server.

Flaws include multiple memory corruption issues in the Webkit browser engine. These could lead to arbitrary code execution if a user visits a maliciously crafted website, Apple warned.

US CERT recommended that IT professionals look at the advisory and "apply any necessary updates to help mitigate the risks."

Safari 5.1 also has a Privacy Pane that lets users manage data such as Flash cookies.

On Wednesday, Apple released OS X Lion, which contained a number of new security features. One of the security features was full address space layout randomisation (ASLR), which randomly arranges key data areas and makes it very hard for malware to know where in memory to install itself.

Safari 5.1 supports sandboxing in OS X Lion, a feature that quarantines websites to stop those that try to access a user's system.