Apple patches 58 Safari bugs to deflect drive-by attacks

Safari 5.1, the browser bundled with Lion, also makes its way to Snow Leopard

Apple today updated Safari to version 5.1, patching 58 security vulnerabilities and adding several new features, including sandboxing on Mac OS X 10.7.

Safari 5.1 is the browser bundled with Lion, the operating system Apple released earlier today, but it will also run on Mac OS X 10.6, aka Snow Leopard. A separate Safari update to version 5.0.6 was also issued today for users running Mac OS X 10.5, or Leopard.

The update patched a total of 58 flaws in Safari, 14 of them specific to the Windows edition, one that affected only the Mac version, and 44 that impact both platforms. Forty-seven of the 58 were accompanied by Apple's "arbitrary code execution" phrasing, indicating that the company considered them critical.

Unlike rival Microsoft, Apple does not tag vulnerabilities with threat-level labels.

Safari was last patched in April when Apple fixed two flaws. The month before that, however, Apple addressed 62 vulnerabilities in a massive security update.

The bulk of the bugs patched today -- 43 of the 58 -- were in WebKit, the open-source browser engine that powers Safari and also Google's Chrome.

Most of those were memory flaws.

"Multiple memory corruption issues existed in WebKit," said Apple in the security advisory that accompanied the Safari 5.1 update. "Visiting a maliciously-crafted website may lead to an unexpected application termination or arbitrary code execution."

Apple's description means that the vulnerabilities could be exploited via "drive-by" attacks that only require cyber criminals to trick victims into visiting a malware-serving URL.

Along with the patches, Apple also added new features to Safari 5.1, including Reading List, a feature inspired by the third-party program Instapaper, that eliminates Web ads on content marked for later viewing.

Safari 5.1 supports several Lion-only features as well, ranging from the operating system's multi-touch support and full-screen view to automatic resume and "sandboxing," an anti-exploit technology that isolates the browser from the rest of the machine.

Reading List
Safari 5.1 runs on Snow Leopard, but only some features -- like Reading List -- are available. The new browser runs best on Lion.

Like Chrome has done since its 2008 debut, Safari 5.1 insulates the operating system and other applications from any code executed in the browser, including attack code.

"If a website contains malicious code intended to capture personal data or take control of your computer, sandboxing automatically blocks it to keep your computer and your information safe," Apple claimed on its Safari 5.1 website today.

Chrome's sandbox has kept it more secure than other browsers from attacks, including those launched by top-notch researchers at the annual Pwn2Own challenge, where Google's browser has never been hacked.

Safari can be downloaded for Leopard or Snow Leopard on a Mac, and for Windows XP, Vista and Windows 7 on a PC, from Apple's website. Mac OS X users will be notified of the new version automatically, while Windows users already running Safari will be alerted by the Apple Software Update tool.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon