The latest fixes, available in the new Safari 4.0, corrects a wide range of code execution and denial-of-service vulnerabilities and even comes with a fix for the vexing "clickjacking" issues plaguing modern Web browsers.
Several proof-of-concept examples of clickjacking, also known as URI redressing, show how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user. It is a problem that affects all the major Web browsers and it appears Apple is pushing out a fix for Mac and Windows users.
how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user.
- WebKit (CVE-2009-1681): A design issue exists in the same-origin policy mechanism used to limit interactions between websites. This policy allows websites to load pages from third-party websites into a subframe. This frame may be positioned to entice the user to click a particular element within the frame, an attack referred to as "clickjacking". A maliciously crafted website may be able to manipulate a user into taking an unexpected action, such as initiating a purchase. This update addresses the issue through adoption of the industry-standard 'X-Frame-Options' extension header, that allows individual web pages to opt out of being displayed within a subframe.
The latest Safari refresh also fixes five documented several code execution issues in CoreGraphics (all could lead to complete computer takeover attacks); an ImageIO issue that could be exploited via maliciously crafted PNG images; 5 flaws in libxml; and a variety of WebKit vulnerabilities that affect Safari on both Mac and Windows systems.