Apple today released Safari 4.0.2, now available on Apple's Safari download page or through Software Update. According to the support document associated with the release, the update addresses two security vulnerabilities that could be exploited by maliciously crafted websites. The update also reportedly improves the stability of the Nitro JavaScript engine used by Safari.
The first vulnerability addressed permits websites to deploy cross-site scripting attacks.
An issue in WebKit's handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.
The second vulnerability permits arbitrary code execution when visiting certain maliciously-crafted websites.
A memory corruption issue exists in WebKit's handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.
Safari 4.0.2 is available for OS X Leopard, OS X Tiger, and Windows (XP and Vista).
