Secunia

Multiple vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to disclose sensitive information or compromise a user's system.

1) Certain input passed in RSS feeds is not properly sanitised before being used. This can be exploited to retrieve files from a user's system when the user accesses a specially crafted RSS feed.

2) The AutoFill feature is enabled to use information from the personal address book card by default. This can be exploited to secretly disclose personal information from the personal address book card when a user visits a specially crafted web page.

3) A use-after-free error exists in WebKit when handling element focus.

4) An error in WebKit when rendering inline elements can be exploited to corrupt memory.

5) An error in WebKit when handling dynamic modification of text nodes can be exploited to corrupt memory.

6) An error in WebKit when handling CSS counters can be exploited to corrupt memory.

7) An uninitialised memory access error exists in WebKit when handling the ":first-letter" and ":first-line" pseudo-elements in SVG text elements.

8) A use-after-free error exists in WebKit when handling "foreignObject" elements in SVG documents.

9) An error in WebKit when handling floating elements in SVG documents can be exploited to corrupt memory.

10) An error in WebKit when handling "use" elements in SVG documents can be exploited to corrupt memory.

11) An error in WebKit when handling JavaScript string objects can be exploited to cause a heap-based buffer overflow.

12) A re-entrancy problem exists in WebKit when handling JIT compiled JavaScript stubs.

13) A signedness error in WebKit when handling JavaScript arrays can be exploited to corrupt memory.

14) An error in WebKit when handling regular expressions can be exploited to corrupt memory.

15) A use-after-free error exists in WebKit when handling "font-face" and "use" elements in SVG documents.

Successful exploitation of vulnerabilities #3 through #15 may allow execution of arbitrary code.

Solution
Update to version 5.0.1 (Mac OS X v10.5.8, Mac OS X v10.6.2 or later, Windows 7, Vista, XP) or 4.1.1 (Mac OS X v10.4.11).

Provided and/or discovered by
2) Jeremiah Grossman
5, 11, 12) Reported by the vendor.
6, 7, 8, 9) wushi, team509 via ZDI.

The vendor credits:
1) Billy Rios, Google Security Team.
3) Tony Chang, Google.
4) wushi, team509.
10) Justin Schuh, Google.
13) Natalie Silvanovich
14) Peter Varga, University of Szeged.
15) Aki Helin

Changelog
Further details available in Customer Area

Original Advisory
Apple:
http://support.apple.com/kb/HT4276

Jeremiah Grossman:
http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-141/
http://www.zerodayinitiative.com/advisories/ZDI-10-142/
http://www.zerodayinitiative.com/advisories/ZDI-10-144/
http://www.zerodayinitiative.com/advisories/ZDI-10-153/

Alternate/detailed remediation
Further details available in Customer Area

Deep Links
Links available in Customer Area