Apple Patches Safari Bugs

Wednesday, October 23, 2013 @ 06:10 PM gHale


Apple released security updates for Safari 6.1 with patches for 21 vulnerabilities.

These vulnerabilities could allow a remote attacker to execute arbitrary code, information disclosure, or a cross-site scripting condition.

RELATED STORIES
Attackers Take Control: iOS 7 Bug
Apple’s iOS 7 Clears 80 Bugs
Patched Safari Bug under Attack
Text String Takes Bite Out of Apple

Safari 6.1 Webkit updates are available for the following versions:
• OS X Lion v10.7.5
• OS X Lion Server v10.7.5
• OS X Mountain Lion v10.8.5
OS X Mavericks includes these fixes with Safari 7.0.

Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution, according to a report on US-CERT. A memory corruption issue existed in the handling of XML files. This issue ended up addressed through additional bounds checking.

The update fixed the following vulnerabilities:
• Safari in Apple iOS before 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
• Multiple memory corruption issues existed in WebKit allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. These issues ended up addressed through improved memory handling.
• Use-after-free vulnerability allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of widgets.
• XSS Auditor vulnerability might allow remote attackers to obtain sensitive information via unspecified vectors; visiting a maliciously crafted website may lead to an information disclosure. This issue ended up addressed through improved handling of URLs.
• Multiple XSS vulnerabilities in WebKit allow user-assisted remote attackers to inject arbitrary web script or HTML via vectors involving a drag-and-drop or copy-and-paste operation. Dragging or pasting a selection from one site to another may allow scripts contained in the selection to execute in the context of the new site. This issue ended up addressed through additional validation of content before a paste or a drag and drop operation.
• Using the Web Inspector disabled Private Browsing. Using the Web Inspector disabled Private Browsing without warning. This issue ended up addressed by improved state management.
• XSS vulnerability in WebKit allows remote attackers to inject arbitrary web script or HTML via a crafted URL. A cross-site scripting issue existed in the handling of URLs. This issue ended up addressed through improved origin tracking.

Mac users running OS X Lion systems can install the Safari 6.1 update by choosing Apple menu >Software Update(if prompted, enter an admin password). For users running OS X Mountain Lion systems, Safari 6.1 is available from the Mac App Store.



Leave a Reply

You must be logged in to post a comment.