Apple has just released a pair of software updates for its Safari web browser addressing multiple Webkit vulnerabilities in Mac OS X, providing its users with 21 security patches.
The critical bug resides in the Safari 7.0.4 for Mac OS X Mavericks 10.9.3 and Safari 6.1.4 for OS X Lion 10.7.5, OS X Lion Server 10.7.5 and Mountain Lion 10.8.5.
According to Apple's security advisory, All of the 21 security flaws address the iOS browser vulnerabilities proliferating through the Safari's open-source Webkit rendering engine. This webkit vulnerability allows a malicious website to execute an arbitrary code on the host computer or unexpected termination of an application in an effort to compromise users' confidential information.
"Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution," Apple warned in the advisory.
Security updates tackle a number of flaws including:
- CVE-2013-2875
- CVE-2013-2927
- CVE-2014-1323
- CVE-2014-1324
- CVE-2014-1326
- CVE-2014-1327
- CVE-2014-1329
- CVE-2014-1330
- CVE-2014-1331
- CVE-2014-1333
- CVE-2014-1334
- CVE-2014-1335
- CVE-2014-1336
- CVE-2014-1337
- CVE-2014-1338
- CVE-2014-1339
- CVE-2014-1341
- CVE-2014-1342
- CVE-2014-1343
- CVE-2014-1344
- CVE-2014-1731
Most of the vulnerabilities are found by the Apple together with a lot of help from Google Chrome Team of researchers.
This security issues have been attributed to various forms of memory corruption-related issues within the Safari's Webkit rendering engine and has been patched in the current Safari updates through improved memory handling.
Yet another security issue with Safari's WebKit is the handling of unicode characters in URLs. The issue has been addressed through improved encoding and decoding. If the critical security vulnerabilities remain unaddressable, it could allow a maliciously crafted URL to send out false postMessage anonymously to the recipient, thus controlling the receiver's origin check.
"A malicious site [could] send messages to a connected frame or window in a way that might circumvent the receiver's origin check," the site stated.
Apple is more concerned about the security of its users and protects its users' privacy, so it didn't disclosed or confirmed any of the security flaws until it thoroughly investigated and identified the vulnerabilities along with the release of necessary patches.
"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website," reads the advisory.
The released patches are important to update and if not, could leave your system exposed to arbitrary code execution attacks, whereby giving the remote access of the system to an unauthorised third party. So, the users are advised to install the new updates via Mac OS X Software Update feature or manually download the installer from Apple Support website.
