Apple updates OS X Safari - patches a year's worth of holes, but not on Snow Leopard

Filed Under: Apple, Apple Safari, Featured, Malware, OS X, Vulnerability

In all the excitement over the End of Windows XP and next Tuesday's Ultimate Update...

...we sort of forgot to write about Apple.

In fact, the "other operating system vendor" put out a mid-week update to its Safari browser, including new features and a lot of security fixes.

Two of the security patches stand out especially:

CVE-2014-1300: Ian Beer of Google Project Zero working with HP's Zero Day Initiative

CVE-2014-1303: KeenTeam working with HP's Zero Day Initiative

Those are the Safari flaws revealed just under a month ago on Day One and on Day Two at the PWN2OWN 2014 competition in Vancouver, Canada.

The hole found by Google's security team, CVE-2014-1300, was particularly pernicious.

The Googlers were not only able to escape from Safari and get control, a so-called remote code execution exploit or RCE, but also to:

  • Run a secondary program of their choice. (Naturally, they chose Calculator.)
  • Run their payload as root.
  • Achieve what's called process continuation, where Safari kept on going after the attack, rather than giving things away by crashing.

So, well done to Apple for getting those PWN2OWN holes closed within a month.

All in all, this update fixes 27 CVEs, of which 26 involve potential RCE, so each of these could have made a drive-by malware attack possible.

Remember that drive-bys are when simply looking at a web site, without clicking any download buttons or answering any "do you want to run this program downloaded from the internet" questions, is enough to get you infected with malware.

The 27th fix is for a sandbox escape, where a process inside the browser could trick the operating system into letting it access files it shouldn't.

Get the update as soon as you can, if you're not set up to grab Mac patches automatically: Apple Menu | Software Update...

Was Apple fast enough?

Last time we wrote about OS X updates, we suggested that Apple would do well to adopt an update cycle that was both regular and frequent - just like Patch Tuesday.

Some commenters took exception to the idea.

One objection was that a monthly update cycle for Apple would inevitably and confusingly lead to months without updates, because Apple simply doesn't have that many holes to fix over the course of a year.

But this update belies that claim, fixing as it does four CVEs from 2013, three of which date back to April 2013.

We also ended up last time with a hearty debate about whether OS X 10.6, nicknamed Snow Leopard, was still supported by Apple.

With no explicit word from Cupertino, we'll have to use inference, and assume that continued absence of evidence for 10.6 support is evidence of its absence.

This update is for OS X 10.7, 10.8 and 10.9, bumping Safari 6 to 6.1.3 and Safari 7 to 7.0.3.

As fellow writer John Zorabedian said last time, "Poor Snow Leopard (OS X 10.6) is left out in the cold."

For further information...

If you're interested in (or inflamed by!) the issues of Windows-against-OS X, the optimal frequency for security patches, and how long operating system versions should be supported, you'll enjoy this recent Sophos Security Chet Chat podcast.

Listen to Chester Wisniewski and Paul Ducklin give Microsoft-versus-Apple an informative and educational airing:

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

, , , , , , , ,

You might like

6 Responses to Apple updates OS X Safari - patches a year's worth of holes, but not on Snow Leopard

  1. the JoshMeister · 117 days ago

    Duck, you may or may not be aware that Apple has in the past left long gaps between Snow Leopard Safari updates. I broke the story in March 2013 that Apple had quietly included a Safari fix inside an OS X Security Update after a 10-month period without any Safari patches for Snow Leopard.

    So, while I agree that Apple has probably ended Safari security updates for Snow Leopard (for real) this time, it's not out of the realm of possibility that Apple could surprise us yet again with another quiet update. Snow Leopard still has a fairly significant percentage of Mac operating system usage.

    And, by the way, Apple is still updating its XProtect signatures for Snow Leopard. So while there haven't been recent OS or Safari patches for Snow Leopard, Apple is still actively updating one security-related component of the now three-versions-old OS.

    What really should happen (as you, Chet, and I have all been advocating for years) is for Apple to publicly disclose a security update support lifecycle for its products, or at least for Apple to make an official announcement when the company decides that a product is no longer going to be updated.

    • Paul · 107 days ago

      Hello josh,
      I would say snow leopard is finished.I ran apple update on my old iMac with 10.6.9 and it installed an app to help me download mavericks.I removed it and the next day it returned prompting me to download mavericks. To answer your question,based on what I experienced,Mavericks IS the snow leopard update.

  2. 4caster · 116 days ago

    It's called Planned Obsolescence. Apple can sell more new computers if they stop supporting the older ones.

  3. Ty Dibble · 99 days ago

    The reason it was downgraded is because "Planned Obsolescence" is relevant only in the context of cost of new product. When Apple gives away the new version (Mavericks), the planned obsolescence complaint loses all credibility.

    • Paul · 97 days ago

      The reason Mavericks is offered free is because Mavercks is the snow leopard update.Apple always gives free security updates. I miss the old cat too, but she is gone at least from internet use.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog