14 DAY TRIAL // Safari users are being targeted by Apple with an important security update that patches a plethora of vulnerabilities, all affecting OS X platforms. A similar update has yet to be released for Windows users, or it could be that the Windows version of the browser doesn’t suffer from any of these flaws.
Three separate builds of the browser were released hours ago by the Cupertino company, each targeting a major OS X install base. Safari 8.0.1 is for OS X Yosemite (which includes additional improvements), Safari 7.1.1 for Mavericks users, and Safari 6.2.1 for customers using a Mountain Lion Mac.
WebKit vulnerabilities
As usual, the security holes in dire need of fixing have been found in WebKit, the open source web browser engine adopted by Apple for various applications, including Safari, iTunes, Mail, as well as system components like Dashboard.
One of the flaws involves style sheets loading cross-origin, something that would allow for data exfiltration. Apple explains that “an SVG loaded in an img element could load a CSS file cross-origin. This issue was addressed through enhanced blocking of external CSS references in SVGs.” The company credits Rennie deGraaf of iSEC Partners for discovering and reporting the flaw in question.
Another vulnerability, a UI spoofing issue, resided in the handling of scrollbar boundaries. Apple fixed it by improving bounds checking and thanked Jordan Milne for reporting it.
Yet another flaw, this time spread across various different buggy areas of WebKit, would lead to unexpected application termination or arbitrary code execution because of multiple memory corruption issues. Simply visiting a maliciously crafted web site would be enough to exploit the flaw.
For Yosemite customers
Safari 8.0.1, targeting OS X 10.10 (Yosemite) installations, not only patches the aforementioned vulnerabilities, but also addresses an issue that could prevent history from syncing across devices in situations where iCloud Drive isn’t turned on.
An issue preventing saved passwords from being autofilled after two devices are added to iCloud Keychain is also resolved in this release. WebGL graphics performance on Retina displays is improved as well. Finally, users can now import names and passwords from Firefox, according to the official release notes.
These Safari updates are highly recommended, not just for Yosemite customers (even though they seem to get the best treatment), but also for Mavericks and Mountain Lion users. Security is paramount in web browsers, especially for those of you who like to buy stuff online. Download Safari for OS X here.
