Apple on Tuesday released Safari 4.0.3 to patch six vulnerabilities.
Three of the flaws – involving issues in CoreGraphics, ImageIO and WebKit – could be exploited to execute arbitrary code, according to an Apple advisory.
Perhaps the most unique bug involves a problem with Safari's new Top Sites feature, which provides an "at-a-glance view" of a user's favorite sites, the advisory said. An attacker might be able to exploit the flaw by adding a malicious site to this list, permitting potential phishing scams. Apple fixed the issue by only permitting websites that a user manually visits to be included in the list.
Andrew Storms, director of security operations at vulnerability management firm nCircle, suggested that, considering the number of security updates from Apple this year, the company may want to consider setting a patching schedule.
Vendors such as Microsoft, Oracle and Adobe already do this.
So far this year, Apple has delivered five Safari updates and three Mac OS X updates, the most recent on Aug. 5. Safari has been patched each month since May. Tuesday's release arrived on the same day that Microsoft distributed nine patches to resolve 19 flaws.
"This release makes the contrast between the security processes of Microsoft and Apple even more stark," Storms said. "Microsoft's release was planned, but Apple's updates seem to arrive at a haphazard pace."
An Apple spokeswoman did not respond to a request for comment.
Three of the flaws – involving issues in CoreGraphics, ImageIO and WebKit – could be exploited to execute arbitrary code, according to an Apple advisory.
Perhaps the most unique bug involves a problem with Safari's new Top Sites feature, which provides an "at-a-glance view" of a user's favorite sites, the advisory said. An attacker might be able to exploit the flaw by adding a malicious site to this list, permitting potential phishing scams. Apple fixed the issue by only permitting websites that a user manually visits to be included in the list.
Andrew Storms, director of security operations at vulnerability management firm nCircle, suggested that, considering the number of security updates from Apple this year, the company may want to consider setting a patching schedule.
Vendors such as Microsoft, Oracle and Adobe already do this.
So far this year, Apple has delivered five Safari updates and three Mac OS X updates, the most recent on Aug. 5. Safari has been patched each month since May. Tuesday's release arrived on the same day that Microsoft distributed nine patches to resolve 19 flaws.
"This release makes the contrast between the security processes of Microsoft and Apple even more stark," Storms said. "Microsoft's release was planned, but Apple's updates seem to arrive at a haphazard pace."
An Apple spokeswoman did not respond to a request for comment.
