Apple Releases Safari 4.0.2
The first vulnerability addressed permits websites to deploy cross-site scripting attacks.
An issue in WebKit's handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.
The second vulnerability permits arbitrary code execution when visiting certain maliciously-crafted websites.
A memory corruption issue exists in WebKit's handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.
Safari 4.0.2 is available for OS X Leopard, OS X Tiger, and Windows (XP and Vista).