Apple Safari 4.0.4 updated for 7 security flaws
Apple is updating its Safari web browser to version 4.0.4 to fix 7 identified CVE's (Common Vulnerabilities and Exposures) spread across both Mac and Windows versions of the software.
Three of the fixes are for Safari's core WebKit rendering engine and in my opinion they're critical issues. What's particularly interesting is how the issues were identified in one case by Google and in the other by Apple. Both Google and Apple rely on WebKit as the key rendering infrastructure for their respective browsers.
One of the issues is a Cross Site Request Forgery (CSRF) flaw in how WebKit enables a page from one location to access a resource in another place.
"WebKit sends a preflight request to the latter server
for access to the resource," Apple's advisory states. "WebKit includes custom HTTP headers
specified by the requesting page in the preflight request. This can
facilitate cross-site request forgery."