Apple has released new versions of Safari 6.1 and Safari 7.0 for Mac OS X to fix critical vulnerabilities. If exploited these vulnerabilities could lead to arbitrary code execution. The bugs fixed fall into two categories, those with Safari itself and those in the WebKit HTML rendering engine.
In Safari itself Apple has fixed one vulnerability which allowed hackers to create a site where Safari autofilled various user credentials unexpectedly. This could have led to unwanted information disclosure. According to Apple, “ Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking.”
The other fixes where for WebKit. Because of the vulnerabilities, a visit to a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution. This was due to multiple memory corruption issues which were addressed through improved memory handling.
More details of the security content of Safari 6.1.1 and Safari 7.0.1 can be found here. Safari 6.1.1 and Safari 7.0.1 are available for OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.
Apple has also released an update to its latest iteration of OS X.
Apple recommends that all 10.9 users apply the OS X Mavericks v10.9.1 update. The update includes Safari 7.0.1 but doesn’t fix any other security issues in OS X. There are other bug fixes and enhancements which include:
- Improved support for Gmail in OS X Mail, and fixes for users with custom Gmail settings Improves the reliability of Smart Mailboxes and search in Mail
- Fixes an issue that prevented contact groups from working properly in Mail
- Fixes an issue that prevented iLife and iWork apps from updating on non-English systems
- Addresses an issue that may cause multiple prompts to unlock “Local items” keychain
More details about the security content of OS X Mavericks v10.9.1 can be found here.