Apple issues week's second patch set, fixes 7 Safari flaws

Computerworld - Apple on Wednesday issued its second security update in three days, patching seven vulnerabilities in Safari, including one in the Windows version that the company fixed two months ago for most Mac users.

But unlike the operating system security update issued Monday, which didn't deliver patches for Mac OS X 10.4, aka Tiger, Wednesday's upgrade applies to users running Safari on that 2005 operating system. Apple traditionally stops providing security updates for its oldest still-supported OS several months after the release of a new edition, but apparently will continue supporting Safari on Tiger.

Of the seven holes that Safari 4.0.4 plugs, six apply to the little-used Windows version of the browser, six affect Tiger, but just three impact Mac OS X 10.5 and 10.6, Leopard and Snow Leopard, respectively.

Only two of the vulnerabilities were accompanied by Apple's "may result in arbitrary code execution" phrasing, its way of noting that the bugs are serious and if exploited, could let attackers hijack a machine. Both of those critical vulnerabilities affect the Windows edition of Safari only.

The remaining five bugs included ones that could crash Safari, let hackers grab information from the targeted system and enable cross-site scripting attacks, which are often used by identity thieves.

Three of the seven flaws were in the WebKit rendering engine, the open-source foundation of Safari.

Apple also patched vulnerabilities in Safari for Windows and Tiger that were fixed for other versions of the Mac operating system as long ago as Sept. 10. One was patched for Leopard users in the 2009-005 security update, which was released on that date, while another was addressed Monday in the 2009-006 update for Leopard and Snow Leopard.

Safari last received a security update in mid-August, when Apple plugged six security holes, four of them critical.

According to California-based Web applications security vendor Cenzic, Safari accounted for 35% of all browser vulnerabilities disclosed in the first half of the year, second only to the much more popular Firefox. Safari, however, has a relatively small slice of the market; the most recent data from Internet metrics firm Net Applications pegged Safari at a 4.4% share overall, with the Windows version accounting for only 0.3%, less than a tenth of the share controlled by Google's Chrome, another Windows-only browser.

Safari 4.0.4 for Windows or Mac can be downloaded from Apple's site. Current users of the browser can obtain the new version by running Software Update on the Mac or the bundled Apple Software Update on Windows.

Read more about security in Computerworld's Security Knowledge Center.