Apple Safari 7.0.4 closes 22 holes, including 21 listed under "arbitrary code execution"

Filed Under: Apple, Apple Safari, Featured, OS X, Vulnerability

Apple just pushed out another Safari update, bumping OS X's native browser to version 7.0.4.

This got me thinking, "Is it just me, or has Cupertino bumped up the frequency of Safari patches lately?"

After all, Microsoft, Mozilla and Google patch their own browsers both frequently and regularly, and they rarely (OK, never) seem to find themselves short of security improvements to ship.

A few of those are urgent and important fixes for holes that crooks are already exploiting; many are for potentially-exploitable holes that were found and disclosed privately; and some are proactive changes that aim to head future exploits off at the pass.

You can dismiss Microsoft's Patch Tuesday approach, or Mozilla's Every 42 days update schedule, if you like.

But there is something comforting in that sort of liturgical attitude, not least because it means you can learn to expect security improvements, and to organise yourself around adopting them regularly and routinely, rather than getting every update as a sort of unexpected surprise.

Call it religiosity if you must, but you can argue that it makes security feel a bit more of a right than a privilege.

So, is it just me? Or has Apple bumped up the frequency, and for that matter, the regularity, of Safari patches lately?

I thought I'd better be objective about it, so I drew myself a little train-line of the Safari versions listed on Apple's HT1222 Security Update page, with the updates as the train stations:

And I have to say, it's probably just me.

The recent updates to Safari 7 do give a visual sensation of being neatly spaced and close together.

But the picture doesn't paint a pattern; at least not yet.

After all, the updates from 5.1.4 to 6.0.2 showed every sign of settling into a routine, but didn't.

Still, Safari 7.0.4 is a security update and you should grab it as quickly as you can, or at least check that you have it installed.

→ To check for and download updates, go to Apple Menu|​Software Update... and to double-check your Safari version, go to Safari|​About Safari.

There are 22 CVE-numbered security holes patched, 21 of which are annotated by Apple with the words:

Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

In everyday language, that means "possible drive-by install," also known as "crooks could sneak malware onto your computer without any pop-ups."

Here's the list of RCE (remote code execution) CVEs and their discoverers:

It's good to see Apple itself proactively finding and fixing holes, together with a lot of help from Google, historically a big user of the WebKit core that's used in many browsers, most notably Safari.

But it's a bit of a pity to see two CVEs from 2013 only getting fixed now.

However, not all vulnerabilities are practicable, or even possible, to exploit, and the CVEs from 2013 (CVE-2013-2875 and -2927) appear to allow denial of service attacks (deliberate crashes), but not RCE, so it's no worse that "a bit of a pity."

By the way, for older versions of OS X still on Safari 6, the fixes are available as Safari 6.1.4.

The OS X versions supported by this update are Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9).

No sign of anything for Snow Leopard (10.6).

As usual, Apple's silence over exactly what sort of support exists, if any, for OS X 10.6 leaves us unable to tell you why.

It could be that none of these 22 security holes apply to pre-Lion users, or it could be that Snow Leopard is out in the cold as far as security updates go.

In the absence of other evidence, I'd argue that the latter is a safer assumption.

, , , , ,

You might like

8 Responses to Apple Safari 7.0.4 closes 22 holes, including 21 listed under "arbitrary code execution"

  1. Gil · 155 days ago

    Another no-go from Apple. You have to use Software Update, which forces you into the App Store, which doesn't work unless you have the hated, intrusive Spotlight running. Whatever happened to users managing the configuration of their own systems?

    • What on earth are you going on about? intrusive spotlight? how is it intrusive? have your ben used a Mac?

    • Damon · 153 days ago

      He's right, the linked article from Apple states "This update can be downloaded and installed using Software Update or from the Apple Support website", but then clicking through to the Apple Support website link reveals no link to download either Safari 6.1.4 or Safari 7.0.4: http://support.apple.com/downloads/#safari

      • Paul Ducklin · 153 days ago

        I can't find a DMG to download either. If you go to the downloads section and search for Safari updates, you just get links to what look like the last issued release of ancient versions. (E.g. Safari for Windows, which has stagnated at version 5.)

        Slightly annoying because it means you can't keep the latest OS X version and the latest Safari version handy to use offline if you need to re-install a Mac. I know that OS X 10.9.3 has Safari 7.0.3 baked in, but a reinstall therefore means going online with outdated browser components to fix Safari.

  2. Jim · 155 days ago

    I'm not an Apple user, but the concept of regular patching is a good one to talk about. There are drawbacks to patching regularly, in addition to benefits.

    For example, the day after "Patch Tuesday" is a good day for hackers to start exploiting holes.

    On the other hand, regularity is crucial to software development. Being locked into a monthly patch process allows you to schedule things like alpha testing, beta testing, etc. Microsoft has proven that regular patching means quality patching. It's been a long time since I remember a patch that broke something.

    All-in-all, I think regularity is the right path to take. But, it makes for a good discussion-maker. Do you guys have a forum? :)

    • True, I'm an Apple fan but I'd prefer Apple to move to a monthly release schedule for security updates - you can get the same amount of testing by narrowing the scope and taking small bites rather than trying to do everything all at once. Many cases though the security fixes have already been addressed by other developers so it is just matter of merging those updates back into the webkit tree so it is doable.

  3. Gail · 153 days ago

    I'm still on Safari 5.1.10. Do I need to update it? I'm still on OXS 10.6.8. I tried Mavericks but deleted it because it wreck havoc with some of my software and turned gmail into something I didn't like.

    • Paul Ducklin · 153 days ago

      In my opinion, "Yes, you should update your browser." You are almost certainly missing a pile of important security fixes. To update your browser, however, you will need to upgrade OS X. That means tolerating Mavericks.

      (My mileage differes from yours...to me, so many of the niggles and complaints I had against 10.6 were fixed in later versions of OS X that I'd upgrade just for those, let alone for security reasons :-)

      If you genuinely don't like and won't use Mavericks, but want to keep patched against security holes, I think you have to abandon OS X, because it doesn't look as though Apple is going to help you. There are numerous other OSes you can run on a Mac, notably Linux and Windows.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog