“It's a huge update," Peter James, spokesman at Mac security vendor Intego, told SCMagazineUS.com on Tuesday. "It covers a lot of things. It makes you wonder why some of them weren't fixed earlier."
The vulnerabilities are present in components such as CFNetwork, CoreGraphics, ImageIO, International Components for Unicode, libxml, Safari, Safari Windows Installer, and WebKit, according to Apple's security notes for Safari 4.0. Many of the vulnerabilities affect Safari on both Windows and Mac operating systems.
Graham Cluley, senior technology consultant at security vendor Sophos, told SCMagazineUS.com on Tuesday in an email that in terms of the number of fixes, this is one of the biggest security updates seen in some time from Apple. He added that the vulnerabilities are varied in their impact and some are “extremely critical.”
“For instance, some flaws, if left unpatched, would allow hackers to craft malicious graphic files that when viewed in the browser would allow dangerous code to be executed on the surfer's computer,” Cluley said.
In addition, if exploited, some of the vulnerabilities could enable an attacker to bypass security restrictions or conduct cross-site scripting attacks.
More than half of the vulnerabilities fixed in the Safari update were present in WebKit, an open-source application framework that Safari uses. According to Apple, one of the vulnerabilities fixed in WebKit, affecting both Windows and Mac Safari users, could have allowed “clickjacking” attacks -- a trick that lures a user into clicking a malicious, invisible button, thinking they are clicking on something else. Using this technique, an attacker may be able to manipulate a user into carrying out unintended actions, like making a purchase, Apple said.
Cluley said that some of the vulnerabilities fixed with this update are more than three years old. A cross-site scripting flaw in WebKit (CVE-2006-2783) was first reported and patched in Firefox in 2006, he said. In addition, a memory access issue in WebKit (CVE-2008-4231) was originally found last year in the iPhone version of Safari, but was now revealed to be an issue for Windows and Mac Safari users too, he added.
Intego's James agreed.
“It can be a little bit surprising that they didn't address any of these issues earlier," he said. "These aren't things that popped up within a few weeks.”
Apple did not immediately respond Tuesday to a request for comment about this issue.
Security firm Secunia rated the vulnerabilities “highly critical,” or a four out of five on its severity rating scale. The US-CERT, in an advisory Tuesday, encouraged users to upgrade to Safari 4.0 to mitigate the risks of these vulnerabilities.