Safari Updates; Firefox Delays

Wednesday, March 14, 2012 @ 04:03 PM gHale

Apple released version 5.1.4 of its Safari web browser for Windows and Mac OS X, which addresses more than 80 vulnerabilities, while Firefox decided to wait until they want to evaluate a bit more.

The update also includes various stability and performance improvements as well as fixes for other non-security related bugs, Apple officials said.

Browsers hit with Framesniffing
Chrome Attack Trap Falls Flat
Browsers Fall in Hacking Contest
Safari Vulnerabilities Revealed

A majority of the security holes closed in 5.1.4 were in the WebKit browser engine used by Safari. These include several cross-site scripting (XSS), cross-origin and HTTP authentication problems, as well as numerous memory corruption bugs that could end up exploited by an attacker to cause unexpected application termination or arbitrary code execution.

In addition, a recent issue, where officials said Google bypassed Safari’s privacy controls on cookies, was also a part of the upgrade. A bug in Safari’s Private Browsing mode that allowed page visits to record in the browser history when the mode was active also underwent a fix.

On Windows systems, the browser update improves domain name validity checking in order to prevent attackers from using look-alike characters in a URL to visually spoof a legitimate domain and direct users to a malicious site. Mac OS X systems did not have this issue.

Safari 5.1.4 is available to download for Windows XP or later, and Mac OS X 10.6 and 10.7. Alternatively, Mac OS X users can upgrade to the new version via the built-in Software update function. All users should upgrade as soon as possible, Apple officials said.

Meanwhile, the Firefox team said they are postponing the release of Firefox 11, originally planned for early this week, because of a security report the team wants to evaluate to make sure the issue will not impact their code. Jonathan Nightingale, Mozilla’s Senior Director of Firefox Engineering, also gave Microsoft’s monthly Patch Tuesday security update this week as a reason to hold back.

Nightingale said there is no reason to expect any issues, but they would rather ship Firefox 11 after they evaluated the Microsoft updates as they have “interacted badly” with Firefox before. Firefox plans out releases far in advance, in accordance with the changes Mozilla enacted with its development cycle last year.

It is notable it decided to halt the release of Firefox 11 this close to the planned date. At this point, no one will say if the delay relates to Firefox’s fall at last week’s Pwn2Own contest, but the vulnerability report is coming from ZDI (Zero Day Initiative) who organized the Pwn2Own competition.

Leave a Reply

You must be logged in to post a comment.