A fraudster could have used the fake SSL certificates – issued for sites such as Google, Yahoo, Skype and Microsoft's Hotmail – to create a fake website that was able to bypass a browser's validity mechanism and appear like the real thing to users. The attacker would then be able to spoof content or perform phishing and man-in-the-middle attacks to steal credentials or spy on users. The fix issued on Thursday places the toxic certificates on a blacklist so they can't be used on Safari.
Meanwhile, the newly issued Safari 5.0.5 addresses two vulnerabilities that could have led to unexpected application termination or arbitrary code execution if a user visits a malicious website.
Apple's mobile device suite also saw fixes with the release of iOS 4.3.2 8H8 (4.2.7 for VZ iPhone). Among the issues addressed are bugs exposed during CanSecWest's Pwn2Own hacker competition last month in Vancouver.