Apple publishes big Safari security update - Lion status unclear

Filed Under: Apple, Apple Safari, Featured, Vulnerability

Apple yesterday released an update for Safari 5.0.6 and 5.1 which includes a whole battery of security fixes.

If you calculate the magnitude of a security update by the count of CVE (Common Vulnerabilities and Exposures) numbers listed, this one scores a 57.

For the full security story, see Apple's Knowledgebase article HT4808. For a summary in list form, see below.

Note that Apple's advice about the update doesn't make it clear whether Lion users need the update or not. The HT4808 article says that "Safari 5.1 is included with OS X Lion" but also lists "Safari 5.1 (OS X Lion)", along with earlier OS X versions, in the Products Affected section.

Whether this means that there's now a newer build of Safari 5.1 for Lion available than is included in the AppStore download or not isn't clear.

I don't have OS X 10.7 yet (I'm unwilling to buy it until it is available over the counter for cash), but on my trusty 10.6.8 system, the latest Safari 5.1 is labelled as build 6534.50. I assume if that's what you have, you're up-to-date.

(Update: Apparently, the Safari shipped with Lion is up-to-date, and the Safari 5.1 for OS X 10.7 build number is 7534.48.3.)

Of the 57 CVE entries patched, those who reported or sold the relevant vulnerabilities claimed that: 46 might lead to remote code execution; four to information disclosure; three to the spoofing of addresses or content; three to cross-site scripting; and one to the mismanagement of SSL certificates.

The good news is that the update also offers some good, old-fashioned improvements and a few new features, including one called the Reading List, which lets you easily add webpages and links into a reading list to look at later. The non-security-related features in the update are in Apple article HT4611.

Once again, to Mac fanbuoys (and gurls) who insist that Macs are vulnerable only to the sort of malware infection which relies on the user agreeing to a sequence of dubious-looking installation steps: look at all the entries in the list below labelled EXEC. These denote possible remote code execution vulnerabilities in the Safari product.

And a remote code execution exploit means you're at risk of a drive-by install. That's where you run untrusted program code silenty, merely by visiting a maliciously-crafted web page.

To add some balance here, let me observe that some of those who traffick in vulnerabilities love to assign the tag "possible remote code execution" to just about any bug by which they are able to crash the victim program with some degree of finesse.

But "possible remote code execution" doesn't inevitably mean that a known, reliable exploit exists, or that one is even likely. Some horrendous-looking vulnerabilities turn out to be much harder to exploit in the real world than you might at first think, so "possible" may sometimes mean little more than "not inconceivable."

Nevertheless, this sort of bug is a fault which is potentially dangerous, and needs to be fixed as soon as possible. So get your Safari 5.0.6 and 5.1 updates today.

(And if you aren't yet running a full-function anti-virus on your Mac - the one built into OS X gives only a sliver of protection - please take advantage of our free Sophos Anti-Virus for Mac Home Edition. Yes, it supports Lion.)

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

-
Here is the summary of the security fixes in this latest Safari update:


   SAFARI 5.1 AND 5.0.6 - LIST OF SECURITY SECURITY UPDATES

           W:     Windows only affected
           Wm:    Windows affected, Mac previously patched
           WM:    Windows and Mac affected

           XSS:   Cross site scripting (3 of 57)
           EXEC:  Remote code execution (46 of 57)
           CERT:  Certificate trust flaw (1 of 57)
           LEAK:  Information disclosure (4 of 57)
           SPOOF: Wrong domain lookup, address 
                  or content display (3 of 57)

         Buggy component  Pl  Vuln  CVE reference
         ---------------  --  ----  -------------
         CFNetwork        W   XSS   CVE-2010-1420 
         CFNetwork        W   EXEC  CVE-2010-1383  
         CFNetwork        W   CERT  CVE-2011-0214
         ColorSync        Wm  EXEC  CVE-2011-0200
         CoreFoundation   Wm  EXEC  CVE-2011-0201 
         CoreGraphics     Wm  EXEC  CVE-2011-0202
         IC for Unicode   Wm  EXEC  CVE-2011-0206 
         ImageIO          W   EXEC  CVE-2011-0241
         ImageIO          W   EXEC  CVE-2011-0215
         ImageIO          Wm  EXEC  CVE-2011-0204
         libxslt          Wm  LEAK  CVE-2011-0195
         libxml           W   EXEC  CVE-2011-0216
         Safari           WM  LEAK  CVE-2011-0217
         Safari           WM  SPOOF CVE-2011-0219
         WebKit           WM  EXEC  CVE-2010-1823
         WebKit           WM  EXEC  CVE-2011-0164
         WebKit           WM  EXEC  CVE-2011-0218
         WebKit           WM  EXEC  CVE-2011-0221
         WebKit           WM  EXEC  CVE-2011-0222
         WebKit           WM  EXEC  CVE-2011-0223
         WebKit           WM  EXEC  CVE-2011-0225
         WebKit           WM  EXEC  CVE-2011-0232
         WebKit           WM  EXEC  CVE-2011-0233
         WebKit           WM  EXEC  CVE-2011-0234
         WebKit           WM  EXEC  CVE-2011-0235
         WebKit           WM  EXEC  CVE-2011-0237
         WebKit           WM  EXEC  CVE-2011-0238
         WebKit           WM  EXEC  CVE-2011-0240
         WebKit           WM  EXEC  CVE-2011-0253
         WebKit           WM  EXEC  CVE-2011-0254
         WebKit           WM  EXEC  CVE-2011-0255
         WebKit           WM  EXEC  CVE-2011-0981
         WebKit           WM  EXEC  CVE-2011-0983
         WebKit           WM  EXEC  CVE-2011-1109
         WebKit           WM  EXEC  CVE-2011-1114
         WebKit           WM  EXEC  CVE-2011-1115
         WebKit           WM  EXEC  CVE-2011-1117
         WebKit           WM  EXEC  CVE-2011-1121
         WebKit           WM  EXEC  CVE-2011-1188
         WebKit           WM  EXEC  CVE-2011-1203
         WebKit           WM  EXEC  CVE-2011-1204
         WebKit           WM  EXEC  CVE-2011-1288
         WebKit           WM  EXEC  CVE-2011-1293
         WebKit           WM  EXEC  CVE-2011-1296
         WebKit           WM  EXEC  CVE-2011-1449
         WebKit           WM  EXEC  CVE-2011-1451
         WebKit           WM  EXEC  CVE-2011-1453
         WebKit           WM  EXEC  CVE-2011-1457
         WebKit           WM  EXEC  CVE-2011-1462
         WebKit           WM  EXEC  CVE-2011-1797
         WebKit           WM  EXEC  CVE-2011-1774
         WebKit           WM  LEAK  CVE-2011-1190
         WebKit           WM  XSS   CVE-2011-0242
         WebKit           WM  XSS   CVE-2011-1295
         WebKit           WM  SPOOF CVE-2011-1107
         WebKit           WM  LEAK  CVE-2011-0244
         WebKit           WM  SPOOF CVE-2010-3829

, , , , , , ,

You might like

2 Responses to Apple publishes big Safari security update - Lion status unclear

  1. June · 1005 days ago

    Wait, you're waiting to buy the Lion OS until you can buy it physically? You realize that's going to cost you an extra $40, for the exact same product. What a tard, haha.

  2. Michael · 998 days ago

    Did you know that if you buy Lion from the App Store, then before installing it you can grab the disk image from inside the downloaded package? http://arstechnica.com/apple/guides/2011/07/ask-a...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog