July 22, 2011

Massive Safari update fixes dozens of security flaws

Along with the release of its latest platform, OS X Lion, Apple this week issued a new version of its Safari web browser, closing dozens of security flaws.

The updated version, Safari 5.1, is included in Lion and is available for Mac OS X 10.6 Snow Leopard, as well as Windows 7, Vista and XP. A separate update, Safari 5.0.6, was released for users of Mac OS X 10.5 Leopard to fix the same vulnerabilities.

The update closes 58 flaws in total, some of which could allow an attacker to execute arbitrary code, perform cross-site scripting attacks or obtain sensitive information, according to an advisory from the US-CERT.

“The sheer number of vulnerabilities being patched in Safari is mind-boggling,” Andrew Storms, director of security operations for network and compliance auditing firm nCircle, said in a statement sent to SCMagazineUS.com.

Other computing giants, like Microsoft and Oracle, release comparable-sized updates, but those fixes typically apply to many different applications and operating systems.

“This is a vast number of bugs for just Safari alone,” Storms said.

The majority of the bugs addressed in the update affect WebKit, an open-source web browser engine used by Safari and Google's Chrome web browser. Most of the WebKit flaws were classified as memory corruption issues that could allow for the execution of remote code if a user is tricked into visiting a malicious website.

Safari 5.1 also includes a new “sandboxing” feature, exclusive for Lion users, that is designed to protect against web-based exploits. Sandboxing refers to the process of isolating programs from one another to prevent issues in one program from affecting the entire operating system.

“All the web content and applications you use in Safari on Lion are sandboxed, so websites can't use exploits to access your system,” Apple explained. “If a website contains malicious code intended to capture personal data or take control of your computer, sandboxing automatically blocks it to keep your computer and your information safe.”

Google has included sandboxing technology in Chrome since the browser's release in 2008.

Safari 5.1 also includes non-security improvements, including a new feature called Reading List, which lets users tag articles and links for later reading.

Related Articles
Related Topics
Related Links

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.