Apple releases Safari 3.2 with phishing protection

Anyone got a URL that could be used to test the feature?

Does that mean that Safari Version 4 Developer Preview (5526.11.2) should be replaced?

http://chaseonline.chase.com.ssl.com.kg/

Just type in 'Phishing Test' into Google. There are plenty of options.

However, I can't get any of them to work. On top of that, Acid3 is still at 75/100 and it causes crashes when running WebKit within it or using extensions, so I don't recommend it for all users.

I'm going back to Safari 4, which doesn't have the phishing option added yet.

That one was blocked correctly. I guess they aren't using Google's or Mozilla's DB on phishing sites.

Are you sure? The links on the phishing warning all lead to Google.

Big wow, so what, I'll stick with Firefox 3, thanks

Phishing site test worked for me, no crashes with extensions either. (does only get 75 on Acid 3 though)

Possibly all the goofing around with WebKit you do has left you with a non-standard set of components relative to the average user.

Not at all. I assumed that this site would also be in Google's phishing DB, but it does clearly say Firefox on the page.

WebKit is a separate app. It just calls the Safari Libraries when launched. You can still launch your verision of Safari alongside it just fine. As for extensions, that would depend on the extention. It seems Glims is causing crashes with the new build.

WebKit piggybacks off Safari. So it's entirely possible to get all the Safari 4 goodness *and* the new anti-phishing feature.

So...yes, it's possible to score 100% on Acid3 *and* get protection from fake Chase sites.

I just down loaded and did the reboot. I'm wondering if they rolled any of the javascript improvements into this revision or is that still off in the future.

We security is nice and all but I don't do much on line where that is a problem. What I really want is to see all the new HTML 5 and other improvements go mainstream.

dave

Yes, if you installed Safari 3.2, you can still use WebKit nightlies and get the benefit of phishing protection in Safari 3.2.

Based on the comments above, I'd say that they haven't updated WebKit (significantly) for this release. Maybe we'll have to wait for Snow Leopard for that.

Yeah, I'm sure a new WebKit will work fine, but you can't use "Safari 4 goodness" and the anti-phishing feature, unless it's a hidden feature in which a PLIST edit will enable it. Though I'm sure the next Safari 4 beta will have added it, so no worries.

I've run the upgrade twice now, once from Software Update and then as a download and each time I reboot and... Still have Safari 3.0.4. Anyone else having this problem?

I did on one machine. Rename Safari to 'Safari 3.0.4' or whatever, then do the update.

Still no go. Renamed it to Safari Old, ran the install, and when I came back all I had was Safari Old, same version.

Doesn't look like I'm meant to upgrade.

after updating, safari only crashes now.

Uninstall any extensions and plugins that aren't ordained by Apple.

that's pretty much exactly what I was (poorly) trying to say.

This sucks.
They included previously unpatched security fixes in this release in addition to the anti-phishing feature.

Apple needs to release a standalone Security Update for the security fixes.

So, anyone who chooses to skip this update will still be vulnerable to the following Safari exploits:


Safari

CVE-ID: CVE-2008-3644

Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista

Impact: Sensitive information may be disclosed to a local console user

Description: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a local user. This update addresses the issue by properly clearing the form data. Credit to an anonymous researcher for reporting this issue.

WebKit

CVE-ID: CVE-2008-2303

Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.

WebKit

CVE-ID: CVE-2008-2317

Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in WebCore's handling of style sheet elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection. Credit to an anonymous researcher working with the TippingPoint Zero Day Initiative for reporting this issue.

WebKit

CVE-ID: CVE-2008-4216

Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista

Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information

Description: WebKit's plug-in interface does not block plug-ins from launching local URLs. Visiting a maliciously crafted website may allow a remote attacker to launch local files in Safari, which may lead to the disclosure of sensitive information. This update addresses the issue by restricting the types of URLs that may be launched via the plug-in interface. Credit to Billy Rios of Microsoft, and Nitesh Dhanjani of Ernst & Young for reporting this issue.

It only crashes when I try to "Reopen all windows from last session, oh and when I tried to open a link n a new window, and oh....

Same here. Constant crashes to the point that it is unusable.

Does anyone have a link to 3.1.2?

Yawn...

Another also-ran, primitive, clunky Windows port. I'll stick with OmniWeb; been using it since v3 and it blows FF and Safari out of the water. And yes, I actually paid for it, and no, I don't work for OmniGroup.

http://www.apple.com/support/downloads/

Go to the Apple site-downloads and enter safari 3.1.2 in the search box and it'll come up as a download.

Thanks but have you actually tried to download it because I always get redirected to 3.2?

Edit: I have stopped the crashes in 3.2 by removing PithHelmet. Anyway I'd still very much appreciate if someone knows where to get 3.1.2.

Re-directed me too, but I've got 3.2 on 10.5.5. Maybe you need 10.4 or older to get it?

Apple doesn't play well with others. I can't find the DL anywhere. Do you have TM backup?


Tiger, Leopard and Windows are all 3.2. I can't find a link that doesn't redirect me to 3.2.

No it won't. It redirects to the 3.2 dl

Luckily I didn't upgrade my laptop.

Wouldn't users of 10.5.2 be able to use that 3.1.2 hence the link being left up?

Not necessarily. the OS X requirements are "Any Mac running Security Update 007 and Mac OS X Leopard 10.5.5 or Mac OS X Tiger 10.4.11 (or higher)", so Apple may want you to update your OS X version. Especially since the updates are free so there is no legitimate reason, in Apple's eyes, why you wouldn't want the latest point update of OS X but want the latest version of Safari.

I don't have any unordained apps on my mini, but if I get some I might find that Safari 3.2 starts to crash and I'll have to delete them. Will an update fix this soon through the app, as there's no way to get 3.1.4 etc on 10.5.5?

I would say that Safari piggybacks off Webkit, since the Webkit framework gets installed into the OS, and then Safari simply makes use of it. You could get the code that is going to go into Safari 4, but it likely not have been certified for prime time. http://www.webkit.org is where it resides, but this is highly development oriented, so I wouldn't trust anything important on it.

Since he is talking specifically about the WebKit nightly builds, you click on WebKit.app instead of Safari.app, which calls the Safari libraries and even states Safari in the Menu Bar and lists the version as the latest version of Safari that you have installed. There are only a few signs that tell you running a WebKit nightly The gold rimmed compass icon, instead of silver, and the results of an Acid3 test are two. The Safari container is completely unchanged, so his initial statement was apt, but in a general sense you are also correct.

PS: I find the WebKit nightly builds to be quite stable, almost all of the time. The advancements they've made with JS processing since the build Apple uses in their Safari current releases makes them worthwhile. Now, Safari 4 beta, on the other hand, still has quirks so it's not worth the trouble, IMO.

It is not Apple's responsibility to ensure compatibility with third party hacks.

True - and lets ALSO remember that the interfaces which these third party hacks use are NOT supported by Apple in ANY form.

I wish some people here would put a cork in it when they don't know what the heck they're talking about.

Apple is losing its way. Whatever happened to "it just works"? Now they've got so many interdependencies, it's not funny. I just had Safari 3.1 crash and take my whole system with it. Figured it'd be a good time to go to 3.2 since this is one of my rare restarts. Bad move. 3.2 demands 10.5.5 and the latest security update. Why? I don't know. I bet the Windows version doesn't demand Vista SP2 and all the latest security updates. I upgraded from 10.5.3. 10 minutes, double reboot, etc. Safari still wouldn't install without the security update that Software Updater didn't even list until 10.5.5 was installed. Another 5 minutes to install that and double reboot. Finally installed Safari after another few minutes. A browser shouldn't need over 20 minutes to install. Then 3.2 crashed almost instantly. Reopening it every time gave me crashes. I finally went on a search and destroy mission for Pithhelmet. I feel sorry for Mac newbies who wouldn't have this kind of patience or the knowledge to follow the chain of steps. This is not the way to gain converts.

The most important new feature of Safari 3.2 is the long-overdue EV certificate support. If you log in to PayPal you'll see the info on the EV certificate at the top right of the Safari window.