Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

The ArchAngel

macrumors regular
Original poster
Jun 23, 2008
202
0
Just received this bulletin:

APPLE-SA-2009-11-11-1 Safari 4.0.4

Safari 4.0.4 is now available and addresses the following:

ColorSync
CVE-ID: CVE-2009-2804
Available for: Windows 7, Vista, XP
Impact: Viewing a maliciously crafted image with an embedded color
profile may lead to an unexpected application termination or
arbitrary code execution
Description: An integer overflow exists in the handling of images
with an embedded color profile, which may lead to a heap buffer
overflow. Opening a maliciously crafted image with an embedded color
profile may lead to an unexpected application termination or
arbitrary code execution. The isssue is addressed by performing
additional validation of color profiles. This issue does not affect
Mac OS X v10.6 systems. The issue has already been addressed in
Security Update 2009-005 for Mac OS X 10.5.8 systems. Credit: Apple.

libxml
CVE-ID: CVE-2009-2414, CVE-2009-2416
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Windows 7, Vista, XP
Impact: Parsing maliciously crafted XML content may lead to an
unexpected application termination
Description: Multiple use-after-free issues exist in libxml2, the
most serious of which may lead to an unxexpected application
termination. This update addresses the issues through improved memory
handling. The issues have already been addressed in Mac OS X 10.6.2,
and in Security Update 2009-006 for Mac OS X 10.5.8 systems.

Safari
CVE-ID: CVE-2009-2842
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 and v10.6.2, Mac OS X Server v10.6.1 and v10.6.2,
Windows 7, Vista, XP
Impact: Using shortcut menu options within a maliciously crafted
website may lead to the disclosure of local information
Description: An issue exists in Safari's handling of navigations
initiated via the "Open Image in New Tab", "Open Image in New
Window", or "Open Link in New Tab" shortcut menu options. Using these
options within a maliciously crafted website could load a local HTML
file, leading to the disclosure of sensitive information. The issue
is addressed by disabling the listed shortcut menu options when the
target of a link is a local file.

WebKit
CVE-ID: CVE-2009-2816
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 and v10.6.2, Mac OS X Server v10.6.1 and v10.6.2,
Windows 7, Vista, XP
Impact: Visiting a maliciously crafted website may result in
unexpected actions on other websites
Description: An issue exists in WebKit's implementation of Cross-
Origin Resource Sharing. Before allowing a page from one origin to
access a resource in another origin, WebKit sends a preflight request
to the latter server for access to the resource. WebKit includes
custom HTTP headers specified by the requesting page in the preflight
request. This can facilitate cross-site request forgery. This issue
is addressed by removing custom HTTP headers from preflight requests.
Credit: Apple.

WebKit
CVE-ID: CVE-2009-3384
Available for: Windows 7, Vista, XP
Impact: Accessing a maliciously crafted FTP server could result in
an unexpected application termination, information disclosure, or
arbitrary code execution
Description: Multiple vulnerabilities exist in WebKit's handling of
FTP directory listings. Accessing a maliciously crafted FTP server
may lead to information disclosure, unexpected application
termination, or execution of arbitrary code. This update addresses
the issues through improved parsing of FTP directory listings. These
issues do not affect Safari on Mac OS X systems. Credit to Michal
Zalewski of Google Inc. for reporting these issues.

WebKit
CVE-ID: CVE-2009-2841
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 and v10.6.2, Mac OS X Server v10.6.1 and v10.6.2
Impact: Mail may load remote audio and video content when remote
image loading is disabled
Description: When WebKit encounters an HTML 5 Media Element pointing
to an external resource, it does not issue a resource load callback
to determine if the resource should be loaded. This may result in
undesired requests to remote servers. As an example, the sender of an
HTML-formatted email message could use this to determine that the
message was read. This issue is addressed by generating resource load
callbacks when WebKit encounters an HTML 5 Media Element. This issue
does not affect Safari on Windows systems.


Safari 4.0.4 is available via the Apple Software Update application,
or Apple's Safari download site at:
http://www.apple.com/safari/download/

Safari for Mac OS X v10.6.1 and v10.6.2
The download file is named: Safari4.0.4SnowLeopard.dmg
Its SHA-1 digest is: 445df542b183fa65fd9df1f7ff4c6af306e6c0b9

Safari for Mac OS X v10.5.7
The download file is named: Safari4.0.4Leopard.dmg
Its SHA-1 digest is: 0aeb54208cdebcafb3206baf11d8649836273f33

Safari for Mac OS X v10.4.11
The download file is named: Safari4.0.4Tiger.dmg
Its SHA-1 digest is: 4ddfd70420e27bab98864a45f291f688d86f5963

Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 236cfb9556dd369d95c5b45ddce740b15f2cb267

Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: d95d61f2f804576b5d31fc8f47ac310438bc44dc

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
 

The ArchAngel

macrumors regular
Original poster
Jun 23, 2008
202
0
Also available in Software Update now. Update text is as follows:

This update is recommended for all Safari users and includes improvements to performance, stability, and security including:

Improved JavaScript performance
Improved Full History Search performance for users with a large number of history items
Stability improvements for 3rd-party plug-ins, the search field and Yahoo! Mail
For detailed information on the security content of this update, please visit this site: http://support.apple.com/kb/HT1222.

29.8MB on the MBP in my signature.
 

MacRumors

macrumors bot
Apr 12, 2001
63,290
30,367
Apple Releases Safari 4.0.4



Apple today released Safari 4.0.4, bringing improvements for JavaScript and History search performance, stability improvements in a number of areas including third-party plug-ins, and fixes for a handful of security issues.
This update is recommended for all Safari users and includes improvements to performance, stability, and security including:

- Improved JavaScript performance
- Improved Full History Search performance for users with a large number of history items
- Stability improvements for 3rd-party plug-ins, the search field and Yahoo! Mail

For detailed information on the security content of this update, please visit this site: http://support.apple.com/kb/HT1222.
Safari 4.0.4 is available via Software Update and Apple's Safari download page. Versions for Mac OS X Snow Leopard, Leopard, and Tiger are available, as well as a single version for Windows 7, Vista, and XP.

Article Link: Apple Releases Safari 4.0.4
 

jmcguckin

macrumors regular
Nov 26, 2008
121
0
Akron, OH
downloading/installing the update now, always glad to install updates that make anything on my computer faster/more stable... though like quite a few other people have said, I wasn't having any issues with v. 4.0.3 (aside from the usual Flash-induced crashes, though I've kinda come to accept that these will happen indefinitely until something other than Flash becomes the standard internet video format).
 

Spankey

macrumors 6502a
Sep 30, 2007
859
334
NJ
Actually opened a lot quicker for me on my MBP. Two dock bounces as opposed to 4 or more previously.
 

randyharris

macrumors regular
Jul 10, 2006
153
4
Before I install this update - any word on whether Glims works with this new version of Safari?

Thanks!
 

yetanotherdave

macrumors 68000
Apr 27, 2007
1,768
12
Bristol, England
Great, safari was just updated, so plugin authors (saft) have been working on the latest 4.0.3 build, now they've got 4.0.4 to work on, putting them back a couple of days, putting me back a few days till I install 10.6.2 :(
Come on apple, you could have put this in the 10.6.2 update instead of the updated 4.0.3 version!
 

sladey

macrumors regular
Jun 17, 2008
151
23
Sydney, Australia
Still no good with Acrobat in Windows!

Do Apple and Adobe hate each other that much?

Safari in Windows has crashed (since version 3) every time I click on a link that turns out to be a pdf.

I have Acrobat 9 installed, but neither Adobe or Apple will own up to the crashing problem. Safari is unusable!
 

plinden

macrumors 601
Apr 8, 2004
4,029
142
maybe Safari won't crash as much now....
Install Click to Flash.

Less beach balls would be nice. Lets find out..
Install Click to Flash.

Please, Flash be sorted! (doesn't get his hope up)
Talk to Adobe about this (and install Click to Flash)


"... Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser"

Unless you're running mobile Safari on your computer, I don't think that article says anything about this version of Safari ... it doesn't say enough to come to any conclusions anyway.
 

daneoni

macrumors G4
Mar 24, 2006
11,576
1,131
About bloody time, this browser was starting to really piss me off with the stalls & crashes. Even forced me to reboot once. Imagine.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.