Apple today released Security Update 2005-003 for Mac OS X 10.3.8. Among the usual set of patches to obscure vulnerabilities, the update includes a patch to Safari:

Support for Unicode characters within domain names (International Domain Name support) can allow maliciously registered domain names to visually appear as legitimate sites. Safari has been modified so that it consults a user-customizable list of scripts that are allowed to be displayed natively. Characters based on scripts that are not in the allowed list are displayed in their Punycode equivalent. The default list of allowed scripts does not include Roman look-alike scripts.

So, Safari is safe from the IDN exploit originally publicized by the Shmoo Group, just under a month after Firefox fixed the same problem by disabling Internationalized Domain Name support entirely.

Firefox’s solution, while most prompt, is problematic. Legitimate international domains like tūdaliņ.lv display as Punycode nonsense like (in this case) xn--tdali-d8a8w.lv. Safari, on the other hand, can display Latvian characters like ū and ņ (and, for that matter, most Unicode characters) in URLs as they ought to be in the appropriate places in its UI. It does, however, disable the display of URLs containing the homograph glyphs used to disguise one domain as another. The famed pаypal.com domain displays as xn--pypal-4ve.com.

Before I bestow any precious metal upon Apple, however, I should mention that I can’t for the life of me find the “user-customizable list” of blocked homographs. Mayhaps it’s a hidden preference.

Regardless, congratulations to the Safari people for fixing a really scary problem without abandoning progress and standardization. Let’s see if Mozilla follows suit.