About the security content of Safari 6.0.1

Learn about the security content of Safari 6.0.1.

This document describes the security content of Safari 6.0.1.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".

Safari 6.0.1

Note: For OS X Mountain Lion systems, Safari 6.0.1 is included with OS X Mountain Lion v10.8.2.

  • Safari

    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1

    Impact: Opening a maliciously crafted downloaded HTML document may lead to the disclosure of local file content

    Description: In OS X Mountain Lion HTML files were removed from the unsafe type list. Quarantined HTML documents are opened in a safe mode that prevents accessing other local or remote resources. A logic error in Safari's handling of the Quarantine attribute caused the safe mode not to be triggered on Quarantined files. This issue was addressed by properly detecting the existence of the Quarantine attribute.

    CVE-ID

    CVE-2012-3713 : Aaron Sigel of vtty.com, Masahiro Yamada

  • Safari

    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1

    Impact: Using Autofill on a maliciously crafted website may lead to the disclosure of contact information

    Description: A rare condition existed in the handling of Form Autofill. Using Form Autofill on a maliciously crafted website may have led to disclosure of information from the Address Book "Me" card that was not included in the Autofill popover. This issue was addressed by limiting Autofill to the fields contained in the popover.

    CVE-ID

    CVE-2012-3714 : Jonathan Hogervorst of Buzzera

  • Safari

    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1

    Impact: After editing a HTTPS URL in the address bar, a request may be unexpectedly sent over HTTP

    Description: A logic issue existed in the handling of HTTPS URLs in the address bar. If a portion of the address was edited by pasting text, the request may be unexpectedly sent over HTTP. This issue was addressed by improved handling of HTTPS URLs.

    CVE-ID

    CVE-2012-3715 : Aaron Rhoads of East Watch Services LLC, Pepi Zawodsky

  • WebKit

    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2011-3105 : miaubiz

    CVE-2012-2817 : miaubiz

    CVE-2012-2818 : miaubiz

    CVE-2012-2829 : miaubiz

    CVE-2012-2831 : miaubiz

    CVE-2012-2842 : miaubiz

    CVE-2012-2843 : miaubiz

    CVE-2012-3598 : Apple Product Security

    CVE-2012-3601 : Martin Barbella of the Google Chrome Security Team using AddressSanitizer

    CVE-2012-3602 : miaubiz

    CVE-2012-3606 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3607 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3612 : Skylined of the Google Chrome Security Team

    CVE-2012-3613 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3614 : Yong Li of Research In Motion, Inc.

    CVE-2012-3616 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3617 : Apple Product Security

    CVE-2012-3621 : Skylined of the Google Chrome Security Team

    CVE-2012-3622 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3623 : Skylined of the Google Chrome Security Team

    CVE-2012-3624 : Skylined of the Google Chrome Security Team

    CVE-2012-3632 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3643 : Skylined of the Google Chrome Security Team

    CVE-2012-3647 : Skylined of the Google Chrome Security Team

    CVE-2012-3648 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3649 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team

    CVE-2012-3651 : Abhishek Arya and Martin Barbella of the Google Chrome Security Team

    CVE-2012-3652 : Martin Barbella of Google Chrome Security Team

    CVE-2012-3654 : Skylined of the Google Chrome Security Team

    CVE-2012-3657 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3658 : Apple

    CVE-2012-3659 : Mario Gomes of netfuzzer.blogspot.com, Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3660 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3671 : Skylined and Martin Barbella of the Google Chrome Security Team

    CVE-2012-3672 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3673 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3675 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3676 : Julien Chaffraix of the Chromium development community

    CVE-2012-3677 : Apple

    CVE-2012-3684 : kuzzcc

    CVE-2012-3685 : Apple Product Security

    CVE-2012-3687 : kuzzcc

    CVE-2012-3688 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3692 : Skylined of the Google Chrome Security Team, Apple Product Security

    CVE-2012-3699 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3700 : Apple Product Security

    CVE-2012-3701 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3702 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3703 : Apple Product Security

    CVE-2012-3704 : Skylined of the Google Chrome Security Team

    CVE-2012-3705 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3706 : Apple Product Security

    CVE-2012-3707 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2012-3708 : Apple

    CVE-2012-3709 : Apple Product Security

    CVE-2012-3710 : James Robinson of Google

    CVE-2012-3711 : Skylined of the Google Chrome Security Team

    CVE-2012-3712 : Abhishek Arya (Inferno) of the Google Chrome Security Team

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: