Apple heeft een nieuwe versie van haar webbrowser Safari uitgebracht met 12.1.1 als het versienummer. In versie 12.1 werden onder andere een donkere modus en intelligente anti-tracking toegevoegd. In deze update lijkt het er op dat er hard gewerkt is om een aantal beveiligingsproblemen op te lossen in WebKit. De lijst met veranderingen van deze uitgave ziet er als volgt uit:
Impact: Processing maliciously crafted web content may result in the disclosure of process memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-6237: G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team
CVE-2019-8571: 01 working with Trend Micro's Zero Day Initiative
CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech
CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative
CVE-2019-8586: an anonymous researcher
CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab
CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative
CVE-2019-8596: Wen Xu of SSLab at Georgia Tech
CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative
CVE-2019-8601: Fluoroacetate working with Trend Micro's Zero Day Initiative
CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8609: Wen Xu of SSLab, Georgia Tech
CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative
CVE-2019-8611: Samuel Groß of Google Project Zero
CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative
CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab
CVE-2019-8622: Samuel Groß of Google Project Zero
CVE-2019-8623: Samuel Groß of Google Project Zero
CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab
We would like to acknowledge Michael Ball of Gradescope by Turnitin for their assistance
Safari 12.1 Release Notes
Safari 12.1 ships with iOS 12.2 and macOS 10.14.4. It’s also available for macOS 10.13.6 and 10.12.6. New features of Safari 12.1 include:
- Dark Mode for the Web. The ability to enable color scheme customizations for websites while in Dark Mode.
- Intelligent Tracking Prevention. New permission requirements for third-party cookies and new limits for long-term tracking.
- Updated the push notification prompt for Safari on macOS to require a user gesture.
- Updated the behavior of websites saved to the home screen on iOS to pause in the background instead of relaunching each time.
Security and Privacy
- Updated Password AutoFill to sign in automatically to websites after filling in the credentials.
Intelligent Tracking Prevention
- Added warnings displayed to the user when loading insecure pages in both Safari and in SFSafariViewController.
- Added Motion & Orientation settings on iOS to enable the DeviceMotionEvent and DeviceOrientationEvent events.
- Removed support for the expired Do Not Track standard to prevent potential use as a fingerprinting variable.
- Updated the link behavior for "target=_blank" to include rel="noopener" implicitly.
- Removed support for partitioned cookies for domains with cross-site tracking capabilities. The Storage Access API now provides third-party access to cookies.
- Improved Intelligent Tracking Prevention to limit long-term tracking based on client-side first-party cookies and to verify partitioned cache entries.
Payment Request API
- Added a supported-color-schemes meta tag to indicate a website supports light and dark color schemes.
- Added support for the Intersection Observer API, which detects the intersection of visible elements relative to other elements. Elements include the viewport of the top-level document.
- Added support for the Web Share API to invoke the native share dialog provided by the system.
- Added support for <input type="color">.
- Added support for the <datalist> element.
CSS and Text
- Added support for granular errors.
- Added support in Wallet & Apple Pay preferences for using the default contact information for the shipping address, email, and phone. On iOS, set preferences in the Transaction Defaults category in Settings > Wallet & Apple Pay. On Mac, set preferences in System Preferences > Wallet & Apple Pay > Contacts and Shipping.
- Added support for the default addresses and contacts configured in the Contacts and Shipping in the Wallet system preferences on iOS and macOS.
- Added support for special fields for Japan including phoneticName, subLocality, and subAdministrativeArea.
- Added support for the CSS media queries prefers-color-scheme: light and prefers-color-scheme: dark.
- Added support for CSS rules to customize text decorations like underlines and dashed underlines.
- Added support for new rgb() color functions from the CSS Color 4 specification.
Safari App Extension API
- Added support for H.264 simulcast and VP8 in WebRTC to improve support for multi-party video conferencing.
- Enabled cross-browser Encrypted Media Extensions (EME) by adding APIs without the webkit prefix.
Web Inspector and Tools
- Added getAllWindows(completionHandler:) and getAllTabs(completionHandler:) for iterating over all open windows and tabs.
- Added getContainingTab(completionHandler:) and getContainingWindow(completionHandler:) access to the containing tab and window objects.
- Added a close method to SFSafariWindow and SFSafariTab for closing windows and tabs.
- Added navigate(to:) for changing the URL of a tab.
- Added getScreenshotOfVisibleArea(completionHandler:) for taking a screenshot of the visible contents of a page.
- Added showPopover() and dismissPopover() for showing and dismissing extension popovers.
- Added getBaseURI(completionHandler:) for retrieving the base URI in the app extension process.
- Improved support for navigating backwards and forwards.
- Added support for multiple selection of DOM tree nodes and of entries in the Cookies table.
- Improved styles editing with multiple selection support.
- Updated Timelines to include media events.