On the same day that Microsoft issued 10 security bulletins covering 34 vulnerabilities, Apple released a flood of patches for its Safari browser, including Safari 4 (Mac OS X 10.4), Safari 5 (MAC OS X 10.6) and Safari 5 for Windows.
Most of the vulnerabilities, 44 out of the 48, in fact, impact Webkit, the open source Web browser engine used by Safari.
The Webkit patches address many possible attack vectors, including the ability to execute code, carry out cross-site scripting attacks or disclose information by visiting a maliciously crafted website or dragging/pasting links or images from one site to another.
Updates also addressed a heap buffer overflow vulnerability in ColorSync, Apple’s color management API. Opening an attacker-modified image with an embedded ColorSync profile could potentially lead to an unexpected application termination or arbitrary code execution.
Two updates addressed vulnerabilities in the Safari browser, flaws that could lead to similar results if an attacker uses a corrupted website.
To assists users looking to authenticate to a server, Safari supports the inclusion of user information in URLs, which specify a user name and password and could potentially aid phishing attacks. A final Safari update allows the browser to display a warning before a user is navigated or redirected to an HTTP or HTTPS URL containing user information.
Safari 5 for Windows and Mac launched on Monday.
Learn more about the Safari patches.