Apple patches 58 Safari bugs to deflect drive-by attacks
Safari 5.1, the browser bundled with Lion, also makes its way to Snow Leopard
Apple today updated Safari to version 5.1, patching 58 security vulnerabilities and adding several new features, including sandboxing on Mac OS X 10.7.
Safari 5.1 is the browser bundled with Lion, the operating system Apple released earlier today, but it will also run on Mac OS X 10.6, aka Snow Leopard. A separate Safari update to version 5.0.6 was also issued today for users running Mac OS X 10.5, or Leopard.
The update patched a total of 58 flaws in Safari, 14 of them specific to the Windows edition, one that affected only the Mac version, and 44 that impact both platforms. Forty-seven of the 58 were accompanied by Apple's "arbitrary code execution" phrasing, indicating that the company considered them critical.
Unlike rival Microsoft, Apple does not tag vulnerabilities with threat-level labels.
Safari was last patched in April when Apple fixed two flaws. The month before that, however, Apple addressed 62 vulnerabilities in a massive security update.
The bulk of the bugs patched today -- 43 of the 58 -- were in WebKit, the open-source browser engine that powers Safari and also Google's Chrome.
Most of those were memory flaws.
"Multiple memory corruption issues existed in WebKit," said Apple in the security advisory that accompanied the Safari 5.1 update. "Visiting a maliciously-crafted website may lead to an unexpected application termination or arbitrary code execution."
Apple's description means that the vulnerabilities could be exploited via "drive-by" attacks that only require cyber criminals to trick victims into visiting a malware-serving URL.
Along with the patches, Apple also added new features to Safari 5.1, including Reading List, a feature inspired by the third-party program Instapaper, that eliminates Web ads on content marked for later viewing.
Safari 5.1 supports several Lion-only features as well, ranging from the operating system's multi-touch support and full-screen view to automatic resume and "sandboxing," an anti-exploit technology that isolates the browser from the rest of the machine.
Like Chrome has done since its 2008 debut, Safari 5.1 insulates the operating system and other applications from any code executed in the browser, including attack code.
"If a website contains malicious code intended to capture personal data or take control of your computer, sandboxing automatically blocks it to keep your computer and your information safe," Apple claimed on its Safari 5.1 website today.
Chrome's sandbox has kept it more secure than other browsers from attacks, including those launched by top-notch researchers at the annual Pwn2Own challenge, where Google's browser has never been hacked.
Safari can be downloaded for Leopard or Snow Leopard on a Mac, and for Windows XP, Vista and Windows 7 on a PC, from Apple's website. Mac OS X users will be notified of the new version automatically, while Windows users already running Safari will be alerted by the Apple Software Update tool.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Workarounds to purge search bar from Firefox's new tab page are available
- Mozilla ships Firefox 31, adds search to new tab page
- Microsoft's IE steps back from the brink of irrelevance
- Firefox falters, falls to record low in overall browser share
- Firefox risks user backlash by adding search box to new tab page
- Google unseats Microsoft as the U.S. browser powerhouse
- Safari, Chrome push to mask URLs
- Chrome on Windows champs at the 64-bit
- Google pulls trigger, cripples some Chrome add-ons
- Microsoft shoots to shorten Internet Explorer's long tail
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- HTTP Status Code Cheat Sheet Look at the Graph, Find the Code and Boom - You're Solving Problems. Identifying and understanding common HTTP status codes can go a...
- Architects lead the next generation of data-driven applications Read this whitepaper to find out how application architects can quickly and confidently deliver long-lasting applications that minimize cost, complexity, and risk while...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Desktop Apps White Papers | Webcasts