They included previously unpatched security fixes in this release in addition to the anti-phishing feature.
Apple needs to release a standalone Security Update for the security fixes.
So, anyone who chooses to skip this update will still be vulnerable to the following Safari exploits:
?Safari
CVE-ID: CVE-2008-3644
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Sensitive information may be disclosed to a local console user
Description: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a local user. This update addresses the issue by properly clearing the form data. Credit to an anonymous researcher for reporting this issue.
?WebKit
CVE-ID: CVE-2008-2303
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.
?WebKit
CVE-ID: CVE-2008-2317
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebCore's handling of style sheet elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection. Credit to an anonymous researcher working with the TippingPoint Zero Day Initiative for reporting this issue.
?WebKit
CVE-ID: CVE-2008-4216
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information
Description: WebKit's plug-in interface does not block plug-ins from launching local URLs. Visiting a maliciously crafted website may allow a remote attacker to launch local files in Safari, which may lead to the disclosure of sensitive information. This update addresses the issue by restricting the types of URLs that may be launched via the plug-in interface. Credit to Billy Rios of Microsoft, and Nitesh Dhanjani of Ernst & Young for reporting this issue.
Big wow, so what, I'll stick with Firefox 3, thanks
Yawn...
Another also-ran, primitive, clunky Windows port. I'll stick with OmniWeb; been using it since v3 and it blows FF and Safari out of the water. And yes, I actually paid for it, and no, I don't work for OmniGroup.
Wouldn't users of 10.5.2 be able to use that 3.1.2 hence the link being left up?
Not necessarily. the OS X requirements are "Any Mac running Security Update 007 and Mac OS X Leopard 10.5.5 or Mac OS X Tiger 10.4.11 (or higher)", so Apple may want you to update your OS X version. Especially since the updates are free so there is no legitimate reason, in Apple's eyes, why you wouldn't want the latest point update of OS X but want the latest version of Safari.
Not necessarily. the OS X requirements are "Any Mac running Security Update 007 and Mac OS X Leopard 10.5.5 or Mac OS X Tiger 10.4.11 (or higher)", so Apple may want you to update your OS X version. Especially since the updates are free so there is no legitimate reason, in Apple's eyes, why you wouldn't want the latest point update of OS X but want the latest version of Safari.
I don't have any unordained apps on my mini, but if I get some I might find that Safari 3.2 starts to crash and I'll have to delete them. Will an update fix this soon through the app, as there's no way to get 3.1.4 etc on 10.5.5?
WebKit piggybacks off Safari. So it's entirely possible to get all the Safari 4 goodness *and* the new anti-phishing feature.
So...yes, it's possible to score 100% on Acid3 *and* get protection from fake Chase sites.
I would say that Safari piggybacks off Webkit, since the Webkit framework gets installed into the OS, and then Safari simply makes use of it. You could get the code that is going to go into Safari 4, but it likely not have been certified for prime time. http://www.webkit.org is where it resides, but this is highly development oriented, so I wouldn't trust anything important on it.
I would say that Safari piggybacks off Safari, since the Webkit framework gets installed into the OS, and then Safari simply makes use of it. You could get the code that is going to go into Safari 4, but it likely not have been certified for prime time. http://www.webkit.org is where it resides, but this is highly development oriented, so I wouldn't trust anything important on it.
Since he is talking specifically about the WebKit nightly builds, you click on WebKit.app instead of Safari.app, which calls the Safari libraries and even states Safari in the Menu Bar and lists the version as the latest version of Safari that you have installed. There are only a few signs that tell you running a WebKit nightly The gold rimmed compass icon, instead of silver, and the results of an Acid3 test are two. The Safari container is completely unchanged, so his initial statement was apt, but in a general sense you are also correct.
PS: I find the WebKit nightly builds to be quite stable, almost all of the time. The advancements they've made with JS processing since the build Apple uses in their Safari current releases makes them worthwhile. Now, Safari 4 beta, on the other hand, still has quirks so it's not worth the trouble, IMO.
Apple is losing its way. Whatever happened to "it just works"? Now they've got so many interdependencies, it's not funny. I just had Safari 3.1 crash and take my whole system with it. Figured it'd be a good time to go to 3.2 since this is one of my rare restarts. Bad move. 3.2 demands 10.5.5 and the latest security update. Why? I don't know. I bet the Windows version doesn't demand Vista SP2 and all the latest security updates. I upgraded from 10.5.3. 10 minutes, double reboot, etc. Safari still wouldn't install without the security update that Software Updater didn't even list until 10.5.5 was installed. Another 5 minutes to install that and double reboot. Finally installed Safari after another few minutes. A browser shouldn't need over 20 minutes to install. Then 3.2 crashed almost instantly. Reopening it every time gave me crashes. I finally went on a search and destroy mission for Pithhelmet. I feel sorry for Mac newbies who wouldn't have this kind of patience or the knowledge to follow the chain of steps. This is not the way to gain converts.
The most important new feature of Safari 3.2 is the long-overdue EV certificate support. If you log in to PayPal you'll see the info on the EV certificate at the top right of the Safari window.
Another also-ran, primitive, clunky Windows port. I'll stick with OmniWeb; been using it since v3 and it blows FF and Safari out of the water. And yes, I actually paid for it, and no, I don't work for OmniGroup.
Comments
They included previously unpatched security fixes in this release in addition to the anti-phishing feature.
Apple needs to release a standalone Security Update for the security fixes.
So, anyone who chooses to skip this update will still be vulnerable to the following Safari exploits:
?Safari
CVE-ID: CVE-2008-3644
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Sensitive information may be disclosed to a local console user
Description: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a local user. This update addresses the issue by properly clearing the form data. Credit to an anonymous researcher for reporting this issue.
?WebKit
CVE-ID: CVE-2008-2303
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.
?WebKit
CVE-ID: CVE-2008-2317
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebCore's handling of style sheet elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection. Credit to an anonymous researcher working with the TippingPoint Zero Day Initiative for reporting this issue.
?WebKit
CVE-ID: CVE-2008-4216
Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information
Description: WebKit's plug-in interface does not block plug-ins from launching local URLs. Visiting a maliciously crafted website may allow a remote attacker to launch local files in Safari, which may lead to the disclosure of sensitive information. This update addresses the issue by restricting the types of URLs that may be launched via the plug-in interface. Credit to Billy Rios of Microsoft, and Nitesh Dhanjani of Ernst & Young for reporting this issue.
after updating, safari only crashes now.
It only crashes when I try to "Reopen all windows from last session, oh and when I tried to open a link n a new window, and oh....
Does anyone have a link to 3.1.2?
Big wow, so what, I'll stick with Firefox 3, thanks
Yawn...
Another also-ran, primitive, clunky Windows port. I'll stick with OmniWeb; been using it since v3 and it blows FF and Safari out of the water. And yes, I actually paid for it, and no, I don't work for OmniGroup.
Does anyone have a link to 3.1.2?
? http://www.apple.com/support/downloads/
Same here. Constant crashes to the point that it is unusable.
Does anyone have a link to 3.1.2?
Go to the Apple site-downloads and enter safari 3.1.2 in the search box and it'll come up as a download.
• http://www.apple.com/support/downloads/
Go to the Apple site-downloads and enter safari 3.1.2 in the search box and it'll come up as a download.
Thanks but have you actually tried to download it because I always get redirected to 3.2?
Edit: I have stopped the crashes in 3.2 by removing PithHelmet. Anyway I'd still very much appreciate if someone knows where to get 3.1.2.
Thanks but have you actually tried to download it because I always get redirected to 3.2?
Edit: I have stopped the crashes in 3.2 by removing PithHelmet. Anyway I'd still very much appreciate if someone knows where to get 3.1.2.
Re-directed me too, but I've got 3.2 on 10.5.5. Maybe you need 10.4 or older to get it?
Edit: I have stopped the crashes in 3.2 by removing PithHelmet. Anyway I'd still very much appreciate if someone knows where to get 3.1.2.
Apple doesn't play well with others. I can't find the DL anywhere. Do you have TM backup?
Re-directed me too, but I've got 3.2 on 10.5.5. Maybe you need 10.4 or older to get it?
Tiger, Leopard and Windows are all 3.2. I can't find a link that doesn't redirect me to 3.2.
Go to the Apple site-downloads and enter safari 3.1.2 in the search box and it'll come up as a download.
No it won't. It redirects to the 3.2 dl
Luckily I didn't upgrade my laptop.
Apple doesn't play well with others. I can't find the DL anywhere. Do you have TM backup?
Tiger, Leopard and Windows are all 3.2. I can't find a link that doesn't redirect me to 3.2.
Wouldn't users of 10.5.2 be able to use that 3.1.2 hence the link being left up?
Wouldn't users of 10.5.2 be able to use that 3.1.2 hence the link being left up?
Not necessarily. the OS X requirements are "Any Mac running Security Update 007 and Mac OS X Leopard 10.5.5 or Mac OS X Tiger 10.4.11 (or higher)", so Apple may want you to update your OS X version. Especially since the updates are free so there is no legitimate reason, in Apple's eyes, why you wouldn't want the latest point update of OS X but want the latest version of Safari.
Not necessarily. the OS X requirements are "Any Mac running Security Update 007 and Mac OS X Leopard 10.5.5 or Mac OS X Tiger 10.4.11 (or higher)", so Apple may want you to update your OS X version. Especially since the updates are free so there is no legitimate reason, in Apple's eyes, why you wouldn't want the latest point update of OS X but want the latest version of Safari.
I don't have any unordained apps on my mini, but if I get some I might find that Safari 3.2 starts to crash and I'll have to delete them. Will an update fix this soon through the app, as there's no way to get 3.1.4 etc on 10.5.5?
WebKit piggybacks off Safari. So it's entirely possible to get all the Safari 4 goodness *and* the new anti-phishing feature.
So...yes, it's possible to score 100% on Acid3 *and* get protection from fake Chase sites.
I would say that Safari piggybacks off Webkit, since the Webkit framework gets installed into the OS, and then Safari simply makes use of it. You could get the code that is going to go into Safari 4, but it likely not have been certified for prime time. http://www.webkit.org is where it resides, but this is highly development oriented, so I wouldn't trust anything important on it.
I would say that Safari piggybacks off Safari, since the Webkit framework gets installed into the OS, and then Safari simply makes use of it. You could get the code that is going to go into Safari 4, but it likely not have been certified for prime time. http://www.webkit.org is where it resides, but this is highly development oriented, so I wouldn't trust anything important on it.
Since he is talking specifically about the WebKit nightly builds, you click on WebKit.app instead of Safari.app, which calls the Safari libraries and even states Safari in the Menu Bar and lists the version as the latest version of Safari that you have installed. There are only a few signs that tell you running a WebKit nightly The gold rimmed compass icon, instead of silver, and the results of an Acid3 test are two. The Safari container is completely unchanged, so his initial statement was apt, but in a general sense you are also correct.
PS: I find the WebKit nightly builds to be quite stable, almost all of the time. The advancements they've made with JS processing since the build Apple uses in their Safari current releases makes them worthwhile. Now, Safari 4 beta, on the other hand, still has quirks so it's not worth the trouble, IMO.
Apple doesn't play well with others.
It is not Apple's responsibility to ensure compatibility with third party hacks.
It is not Apple's responsibility to ensure compatibility with third party hacks.
True - and lets ALSO remember that the interfaces which these third party hacks use are NOT supported by Apple in ANY form.
I wish some people here would put a cork in it when they don't know what the heck they're talking about.
Yawn...
Another also-ran, primitive, clunky Windows port. I'll stick with OmniWeb; been using it since v3 and it blows FF and Safari out of the water. And yes, I actually paid for it, and no, I don't work for OmniGroup.