August 31, 2014

Safari 6.0 released with fixes for security vulnerabilities

(LiveHacking.Com) – Apple has released Safari 6.0 as part of the launch of OS X 10.8 Mountain Lion. The new version of the Mac OS includes an updated version of Apple’s web browser which has also been back ported to OS X 10.7 Lion. As well as new features, Safari 6.0 addresses multiple security issues.

The fixes included in version 6.0 include:

  • A cross-site scripting issue existed in the handling of feed:// URLs. This update removes handling of feed:// URLs.
  • An access control issue existed in the handling of feed:// URLs. This update removes handling of feed:// URLs.
  • Password input elements with the autocomplete attribute set to “off” were being autocompleted. This update addresses the issue by improved handling of the autocomplete attribute.
  • An issue existed in Safari’s support for the ‘attachment’ value for the HTTP Content-Disposition header. This header is used by many websites to serve files that were uploaded to the site by a third-party, such as attachments in web-based e-mail applications. Any script in files served with this header value would run as if the file had been served inline, with full access to other resources on the origin server. This issue is addressed by downloading resources served with this header, rather than displaying them inline.

Safari 6.0 uses the open source WebKit (which Apple created) as its rendering engine. WebKit contained multiple memory corruption issues which, if exploited, means that a user visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. These issues are addressed through improved memory handling inside WebKit.

Many of the WebKit vulnerabilities have been previously fixed in Google’s Chrome web browser (which also uses WebKit) with many of the vulnerabilities being credited to  the “Google Chrome Security Team” or to security researchers who receive rewards from Google for finding bugs like Miaubiz. However Apple did do its fair share of the work with a good number of the WebKit vulnerabilities being discovered by Apple itself.

Safari 6.0 isn’t available for OS X 10.5 Snow Leopard which has now been abandoned by Apple (leaving users with a 32 bit Intel Mac vulnerable). Also at this time there is no news about Safari 6.0 for Windows.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks