This article originally appeared in TidBITS on 2008-11-13 at 3:19 p.m.
The permanent URL for this article is:
Include images: Off

Safari 3.2 Fixes Security Flaws

by Glenn Fleishman

Apple has released Safari 3.2, which addresses a host of vulnerabilities, mostly in the version for Windows XP and Vista. A full rundown of changes is found in the security note [1]. Most of the flaws relate to image handling and parsing under Windows. Several fixed bugs are cross-platform, and, among other improvements, close holes that could allow disclosure of information in forms to unintended users. In particular, Safari adds anti-phishing protection using Google's list of suspected malicious sites.

Most surprisingly, the Windows version of Safari was using zlib [2] 1.2.2, an open-source library of compression algorithms designed to avoid stepping on (and being encumbered by) any patents. The 1.2.3 release [3] came out in July 2005 to fix known flaws in the previous release. Someone was apparently asleep at the switch in using the older library. zlib was likely used in handling compressed Web pages, an option that many servers employ to reduce the time spent and bandwidth used in transmitting HTML.

Safari 3.2 can be automatically updated through Software Update under Mac OS X or Windows with Safari installed. The new release may also be downloaded separately for Mac OS X 10.4 Tiger [4] (25 MB), Mac OS X 10.5 Leopard [5] (39 MB), or Windows XP/Vista [6] (19 MB).