14 DAY TRIAL // New security flaws discovered in the OS X web browser Safari have prompted Apple to take action. New versions of the web surfing app are available for download starting today targeting users of OS X Lion, Mountain Lion, and Mavericks (three separate Mac OS iterations).
Apple doesn’t yet offer the downloads through its Support site, but it does offer an advisory that describes the security content of Safari 6.1.4 and Safari 7.0.4. According to the KB article in question, 22 WebKit holes have been patched in this update directed at computers running Lion, Mountain Lion, and Mavericks.
The specific Mac OS versions targeted by the update are OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.3. Any Mac OS in between these versions is also eligible for the new Safari updates.
One of the flaws stems from multiple memory corruption issues that existed in WebKit, leading to “unexpected application termination or arbitrary code execution” if the user is tricked into visiting a maliciously crafted website. The Cupertino computer company managed to address the problem “through improved memory handling,” according to the advisory.
Almost two dozen separate vulnerabilities contributed to this flaw, with Apple crediting just as many people for discovering and reporting the bugs back to base. The Mac maker mentions the Google Chrome Security Team, Atte Kettunen of OUSPG, Ian Beer of Google Project Zero, less-official names such as “miaubiz,” “cloudfuzzer,” and “banty” (who can be anything from freelancers to amateur hackers), as well as an anonymous member of the Blink development community.
Erling Ellingsen of Facebook discovered a second WebKit flaw which Apple says also targets OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.3.
Born from an encoding issue in the handling of unicode characters in URLs, the vulnerability would lead to sending an incorrect postMessage origin via a maliciously crafted URL. The impact of the bug is described as follows: “A malicious site can send messages to a connected frame or window in a way that might circumvent the receiver's origin check.” Apple addressed this issue through improved encoding/decoding.
Safari 7.0.4 and Safari 6.1.4 are available solely for Mac OS X customers, meaning Windows users are unaffected by these vulnerabilities. As usual, you can grab either version (depending on what you need for your system) from the links below.
Download Safari 7.0.4 for OS X Mavericks Download Safari 6.1.4 for OS X Lion and Mountain Lion