Apple on Wednesday released new versions of Safari for OS X 10.9 Mavericks and OS X 10.8 Mountain Lion, patching two bugs related to WebKit that could allow malicious sites to run code on a user's computer.
According to Apple, Safari 7.0.4 for OS X 10.9 Mavericks and Safari 6.1.4 for OS X 10.8 Mountain Lion both address a WebKit flaw in which arbitrary code could be executed on a host computer when visiting a malicious website. The same issue can also cause Safari to unexpectedly crash.
A second problem with WebKit's handling of unicode characters in URLs that allows a maliciously crafted URL to send out false postMessage origins, thus overcoming the receiver's origin check. The issues was resolved through enhanced encoding and decoding.
The latest Safari for OS X versions come a month and a half after the previous Safari 7.0.3 and 6.1.3 updates were released in early April. The older iterations brought granular control over push notifications and support for new top-level domain names like ".cab" and ".clothing."
Safari 7.0.4 and 6.1.4 can be downloaded for free via Software Update.
5 Comments
The Safari 6.1.4 update (54.4MB) is also available for OS X 10.7 Lion.
Since Apple apparently doesn't do security updates for Mac OS X 10.6 Snow Leopard any more, is this flaw present in that version of WebKit or not?
Since Apple apparently doesn't do security updates for Mac OS X 10.6 Snow Leopard any more, is this flaw present in that version of WebKit or not?
Great question. Can anyone answer this?? Actually, I don't remember what originally came with 10.6, perhaps it was Safari 4. But can anyone at least answer if the flaw is in the version just prior to what's being discussed, i.e. Safari 5 (of which I think 5.1.2 is the latest), which runs perfectly on 10.6 What manufacturers should do for stuff like this is have a page that you can load that shows whether you're vulnerable or not, like you sometimes see security researchers do.
In Safari 7, I use the Manage Website Settings to configure certain sites to block Flash player while setting the default to allow. But I occasionally find that sites which were set to Block have either changed to Allow, or have been removed from the list. Why is it doing this? Do I have to reconfigure the sites every time there is a Safari or Flash plugin update?
Haven't updated Safari yet, but it's possible that it will be snappier.