Update to Safari browser contains 11 patches for Windows
Today's round of updates to Apple's Safari contains just four patches that affect the Mac OS X edition, but eleven for Windows Vista and XP, several of which would forestall some very familiar sounding exploits.
In October 2007, users of the first-edition iPhone were treated to a Safari patch that addressed what was then considered an indication of a serious design flaw: the capability for a malicious TIFF image file to be crafted that could trigger unprivileged code to be executed. At the time, an active exploit was feared to be in the wild.
Now, a patch for a vulnerability with a very similar, if not altogether identical, profile appears in the latest version 3.2 of Safari for Windows (this particular patch does not apply to Mac OS X users). Specifically, TIFF images that have been compression using the well-known Lempel-Ziv (LZW) algorithm will now be treated with more care and concern, according to Apple's security bulletin released today.
That's one of two patches in version 3.2 that improve handling of TIFF images specifically, and five patches overall that involve malicious hijacking of image processing. Among the four patches that apply to both Windows and Mac editions is one that disables the ability for Safari plug-ins to launch local URLs without safeguards -- an ability that was identified by, and which Apple gives full credit to, Microsoft and VeriSign security researcher Billy Rios.
Last year, Rios' name made it to BetaNews by having discovered that a malformed URI handler flaw that had been attributed to Mozilla Firefox, was actually attributable to Windows.