Multiple vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks, bypass certain security restrictions, disclose certain sensitive information, and compromise a user's system.

For more information:
SA45698
SA46049
SA46308
SA46594
SA46815
SA47231
SA47694

1) An error within the International Domain Name (IDN) support feature can be exploited to spoof a URL containing look-alike characters and trick a user into visiting a malicious website.

2) The Private Browsing feature does not properly prevent recording of visits to certain sites implementing the pushState or replaceState JavaScript methods.

3) Multiple errors in the WebKit component can be exploited to conduct cross-site scripting attacks.

4) An error within the WebKit component when handling drag-and-drop actions can be exploited to conduct cross-site scripting attacks.

5) Multiple errors within the WebKit component can be exploited to corrupt memory.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

6) An error within the cookie policy does not enforce the "Block Cookies" preference properly and can be exploited to set cookies from third-party sites.

7) An error in the WebKit component when handling redirects during HTTP Authentication can be exploited to disclose the credentials to another site.

This may be related to:
SA40110

8) An error when handling the splice() method on arrays can be exploited to corrupt memory.

Successful exploitation allows execution of arbitrary code.

Solution
Update to version 5.1.4.

Provided and/or discovered by
1) The vendor credits Matt Cooley, Symantec
2) The vendor credits Eric Melville, American Express
3) The vendor credits Sergey Glazunov, Jochen Eisinger of Google Chrome Security Team, and Alan Austin of polyvore.com
4) The vendor credits Adam Barth, Google Chrome Security Team
5) Reported by the vendor.
6) The vendor credits nshah
7) The vendor credits an anonymous person
8) Alexander Gavrun via ZDI.

The vendor also credits miaubiz, Martin Barbella, Lei Zhang of the Chromium development community, Adam Klein of the Chromium development community, Abhishek Arya (Inferno) of Google Chrome Security Team, Sergey Glazunov, Dmytro Gorbunov of SaveSources.com, Marshall Greenblatt, Dharani Govindan of Google Chrome, Aki Helin of OUSPG, Dave Levin, Slawomir Blazek, Sergio Villar Senin of Igalia, Cris Neckar of the Google Chrome Security Team, Julien Chaffraix of the Chromium development community, and Jeremy Apthorp of Google.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Apple:
http://support.apple.com/kb/HT5190

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-067/

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers