Apple patches 58 Safari bugs to deflect drive-by attacks
Safari 5.1, the browser bundled with Lion, also makes its way to Snow Leopard
Apple today updated Safari to version 5.1, patching 58 security vulnerabilities and adding several new features, including sandboxing on Mac OS X 10.7.
Safari 5.1 is the browser bundled with Lion, the operating system Apple released earlier today, but it will also run on Mac OS X 10.6, aka Snow Leopard. A separate Safari update to version 5.0.6 was also issued today for users running Mac OS X 10.5, or Leopard.
The update patched a total of 58 flaws in Safari, 14 of them specific to the Windows edition, one that affected only the Mac version, and 44 that impact both platforms. Forty-seven of the 58 were accompanied by Apple's "arbitrary code execution" phrasing, indicating that the company considered them critical.
Unlike rival Microsoft, Apple does not tag vulnerabilities with threat-level labels.
Safari was last patched in April when Apple fixed two flaws. The month before that, however, Apple addressed 62 vulnerabilities in a massive security update.
The bulk of the bugs patched today -- 43 of the 58 -- were in WebKit, the open-source browser engine that powers Safari and also Google's Chrome.
Most of those were memory flaws.
"Multiple memory corruption issues existed in WebKit," said Apple in the security advisory that accompanied the Safari 5.1 update. "Visiting a maliciously-crafted website may lead to an unexpected application termination or arbitrary code execution."
Apple's description means that the vulnerabilities could be exploited via "drive-by" attacks that only require cyber criminals to trick victims into visiting a malware-serving URL.
Along with the patches, Apple also added new features to Safari 5.1, including Reading List, a feature inspired by the third-party program Instapaper, that eliminates Web ads on content marked for later viewing.
Safari 5.1 supports several Lion-only features as well, ranging from the operating system's multi-touch support and full-screen view to automatic resume and "sandboxing," an anti-exploit technology that isolates the browser from the rest of the machine.
Like Chrome has done since its 2008 debut, Safari 5.1 insulates the operating system and other applications from any code executed in the browser, including attack code.
"If a website contains malicious code intended to capture personal data or take control of your computer, sandboxing automatically blocks it to keep your computer and your information safe," Apple claimed on its Safari 5.1 website today.
Chrome's sandbox has kept it more secure than other browsers from attacks, including those launched by top-notch researchers at the annual Pwn2Own challenge, where Google's browser has never been hacked.
Safari can be downloaded for Leopard or Snow Leopard on a Mac, and for Windows XP, Vista and Windows 7 on a PC, from Apple's website. Mac OS X users will be notified of the new version automatically, while Windows users already running Safari will be alerted by the Apple Software Update tool.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Firewall Buyers Guide Operate as the core of your network security infrastructure
- Getting Started With a Zero Trust Approach to Network Security The Traditional Approach to Network Security is Failing. View Now>>
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Desktop Apps White Papers | Webcasts