Three of the flaws -- involving issues in CoreGraphics, ImageIO and WebKit -- could be exploited to execute arbitrary code, according to an Apple advisory.
Perhaps the most unique bug involves a problem with Safari's new Top Sites feature, which provides an "at-a-glance view" of a user's favorite sites, the advisory said. An attacker might be able to exploit the flaw by adding a malicious site to this list, permitting potential phishing scams. Apple fixed the issue by only permitting websites that a user manually visits to be included in the list.
Andrew Storms, director of security operations at vulnerability management firm nCircle, suggested that, considering the number of security updates from Apple this year, the company may want to consider setting a patching schedule.
Vendors such as Microsoft, Oracle and Adobe already do this.
So far this year, Apple has delivered five Safari updates and three Mac OS X updates, the most recent on August 5. Safari has been patched each month since May. Tuesday's release arrived on the same day that Microsoft distributed nine patches to resolve nineteen flaws.
"This release makes the contrast between the security processes of Microsoft and Apple even more stark," Storms said. "Microsoft's release was planned, but Apple's updates seem to arrive at a haphazard pace."
See original article on scmagazineus.com
Apple patches Safari for fourth month in a row
By
Dan Kaplan
on Aug 13, 2009 11:17AM
The release of Safari 4.0.3 -- the fifth browser update of the year from Apple -- fixes six vulnerabilities.
