Network Security, Patch/Configuration Management, Vulnerability Management

Massive Safari update fixes dozens of security flaws

Along with the release of its latest platform, OS X Lion, Apple this week issued a new version of its Safari web browser, closing dozens of security flaws.

The updated version, Safari 5.1, is included in Lion and is available for Mac OS X 10.6 Snow Leopard, as well as Windows 7, Vista and XP. A separate update, Safari 5.0.6, was released for users of Mac OS X 10.5 Leopard to fix the same vulnerabilities.

The update closes 58 flaws in total, some of which could allow an attacker to execute arbitrary code, perform cross-site scripting attacks or obtain sensitive information, according to an advisory from the US-CERT.

“The sheer number of vulnerabilities being patched in Safari is mind-boggling,” Andrew Storms, director of security operations for network and compliance auditing firm nCircle, said in a statement sent to

Other computing giants, like Microsoft and Oracle, release comparable-sized updates, but those fixes typically apply to many different applications and operating systems.

“This is a vast number of bugs for just Safari alone,” Storms said.

The majority of the bugs addressed in the update affect WebKit, an open-source web browser engine used by Safari and Google's Chrome web browser. Most of the WebKit flaws were classified as memory corruption issues that could allow for the execution of remote code if a user is tricked into visiting a malicious website.

Safari 5.1 also includes a new “sandboxing” feature, exclusive for Lion users, that is designed to protect against web-based exploits. Sandboxing refers to the process of isolating programs from one another to prevent issues in one program from affecting the entire operating system.

“All the web content and applications you use in Safari on Lion are sandboxed, so websites can't use exploits to access your system,” Apple explained. “If a website contains malicious code intended to capture personal data or take control of your computer, sandboxing automatically blocks it to keep your computer and your information safe.”

Google has included sandboxing technology in Chrome since the browser's release in 2008.

Safari 5.1 also includes non-security improvements, including a new feature called Reading List, which lets users tag articles and links for later reading.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.