According to Apple, which is taking a refreshingly open approach to software security flaws, Infosecurity notes, these browser vulnerabilities can allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, bypass security restrictions, or conduct cross-site scripting attacks.
US-CERT appears to be sufficiently impressed with Apple's approach and development of the new Safari browser edition to post a security notice on its website, suggesting that users review Apple article HT3613 and upgrade to Safari 4.0 to help mitigate the security risks.
The security flaw on CFNetwork, for example, apparently allows downloaded image files to be misidentified as HTML, potentially leading to JavaScript execution without warning the user.
On CoreGraphics, meanwhile, Apple reports that visiting a maliciously crafted web site could lead to an unexpected application termination or arbitrary code execution.
This is caused, Apple explains, because CoreGraphics contains memory corruption issues in the processing of arguments.
On the Windows version of Safari, meanwhile, Apple says that the `Reset Safari' option may not immediately remove website passwords from memory, so posing a potential security risk.
When users click the reset button for `Reset saved names and passwords' in the `Reset Safari' menu option, Apple admits that the browser can take up to 30 seconds to clear the passwords.
A user with access to the system in that time window may be able to access the stored credentials.