Some vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to disclose sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions, or compromise a user's system.

1) An error in the handling of TrueType fonts can be exploited to corrupt memory when a user visits a web site embedding a specially crafted font.

Successful exploitation may allow execution of arbitrary code.

2) Some vulnerabilities in FreeType can potentially be exploited to compromise a user's system.

For more information:
SA34723

3) Some vulnerabilities in libpng can potentially be exploited to compromise a user's system.

For more information:
SA33970

4) An error in the processing of external entities in XML files can be exploited to read files from the user's system when a users visits a specially crafted web page.

5) An error in the handling of redirects when processing Extensible Stylesheet Language Transformations (XSLT) can be exploited to disclose XML content from other web sites.

6) An error in the XSL "document()" function can be exploited to read files from other security zones, including the user's system.

7) An error in WebKit in the handling of Javascript contexts can be exploited to conduct cross-site scripting attacks, allowing e.g. to spoof content of a web site that is navigated to.

8) An error exists in WebKit when executing JavaScript code which sets a certain property of an HTML tag. This can be exploited to free child elements of the HTML tag and subsequently reference the freed memory when an HTML error is encountered.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

9) An error when handling calls to the CSS "attr" function can be exploited to access an uninitialised pointer and potentially execute arbitrary code.

10) An error in the handling of "file:" URLs can be exploited to read local files and disclose potentially sensitive information.

Other vulnerabilities have also been reported of which some may also affect Safari version 3.x.

Solution
Upgrade to Safari version 4, which fixes the vulnerabilities.

Provided and/or discovered by
1-3) Tavis Ormandy
4 - 6) Chris Evans of Google Inc.
7) Michal Zalewski of Google Inc.
8) wushi and ling of team509, reported via iDefense
9) Thierry Zoller, reported via ZDI. The vendor also credits Robert Swiecki of the Google Security Team.
10) Alexios Fakos, n.runs AG. The vendor also credits Dino Dai Zovi.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Apple:
http://support.apple.com/kb/HT3613

Chris Evans:
http://scary.beasts.org/security/CESA-2009-006.html
http://scary.beasts.org/security/CESA-2009-008.html

Michal Zalewski:
http://lcamtuf.coredump.cx/sftrap2/

iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=803

Thierry Zoller:
http://archives.neohapsis.com/archives/fulldisclosure/2009-06/0156.html

n.runs:
http://archives.neohapsis.com/archives/fulldisclosure/2009-06/0243.html

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers