Apple Safari for OS X gets "click-to-own" security holes patched

Filed Under: Apple, Apple Safari, Featured, OS X, Vulnerability

Apple has just updated its Safari browser.

There's still no sign of the regularity and frequency in update process that works so well for companies like Microsoft and Adobe, where you know you'll get an update (or at least be told you aren't getting one) every month.

Nevertheless, this is the sixth Safari update in 10 months, so Cupertino at least seems to be leaving behind the four-months-with-nothing-at-all approach it followed in the previous three years.

Of course, doing things other people's way has never been Apple's style, so I don't think any of us are actually expecting Apple to become more liturgically precise with security updates.

But it's good to see a published fix that:

  • Comes reasonably soon (44 days) after the previous one.
  • Is focused on security.
  • Includes a majority of fixes found by Apple's own researchers.
  • Appears to be fixing recently-found vulnerabilities.

There's not much detail in Apple's security bulletin, which is, happily, already listed on the company's HT1222 security portal page, except to note that the update fixes various Remote Code Execution (RCE) holes:

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

That's the usual sort of vendor long-hand for drive-by download or click-to-own.

Safari on Lion, Mountain Lion and Mavericks (OS X 10.7, 10.8 and 10.9 respectively) get patches, taking Safari 6 users to version 6.1.6 and Safari 7 users to 7.0.6.

No surprise that Apple's own "XP headache," Snow Leopard (OS X 10.6), gets nothing.

What to do?

As with previous Safaris, the updates aren't available from Apple's downloads page, where the most recent version is the superseded Safari 5.1.10 from nearly a year ago (12 Sep 2013).

You need to head to Software Update... in the Apple menu. (On OS X Mavericks, this actually takes you to the Updates page of the App Store application.)

In case you're wondering, on OS X 10.9.4 the update to Safari 7.0.6 comes in at a touch over 50MBytes.

, , , , , , ,

You might like

5 Responses to Apple Safari for OS X gets "click-to-own" security holes patched

  1. Scipio · 69 days ago

    Alas, Apple's refusal to incorporate a real search application in OS X (by which I mean one that will let me find any file on my computer, not just the ones Apple thinks I should want to find) requires me to use a third-party search app...in which case, why do I need Spotlight eating CPU capacity and constantly hammering away at my hard drive?

    Answer: I don't, so I've disabled it.

    And there's the rub; the App Store application is broken without Spotlight running...or at least that's true in OS X 10.8.5. So, there's no updating Safari without opening Terminal.app, re-enabling Spotlight, running the update, and then disabling Spotlight again.

    And worst of all, the App Store process leaves the user without an installer file, so if something is broken in the new version and you used the App Store to install the previous version, you can't re-install the earlier version.

    I'm not sure why Apple is doing so much to take system configuration management away from the user, but it's becoming an increasing nuisance.

    • Laurence Marks · 68 days ago

      Scipio wrote "I'm not sure why Apple is doing so much to take system configuration management away from the user, but it's becoming an increasing nuisance."

      Vote with your feet (or wallet).

  2. Apple have created their snow Leopard headache by adopting the Microsoft "buy a new computer to run the latest software" model of sales. Versions of OSX after 10.6 suffer the spinning beachball of death in ever increasing amounts. All apple offers is denial that there is a serious problem whereas the user statistics for people still using 10.6 speak volumes.

  3. RichElM · 68 days ago

    I think that Apple must realize that many people can't upgrade to newer OS's. Obviously it is not the cost of the OS upgrade but often the cost of upgrading all of the other programs running on the OS.

    I have a number of older clients on fixed incomes who don't have the money to upgrade all of the things that they use.

    They need to be protected by Apple on the programs that they use to communicate to the outside world.

    For example some of them have dropped the use of Word and Excel because they see the cost of going to 365 when MS drops the non-continues payment versions of office applications. The same is true of Adobe either they will stay with CS 6 or find other programs at lesser cost to move to.

    • Paul Ducklin · 67 days ago

      Ironically, Apple's OS X upgrades are now free. Perhaps a bit of a stretch to blame Apple for the cost of upgrading worn-out software from Microsoft and Adobe :-)

      There are free alternatives to Office and Creative Suite that are supported. (E.g. Libre Office, GIMP, Inkscape.) If you care about security and don't want to pay, you'll switch; if you don't care about security and don't want to pay...that's your choice, but I'd implore you not to take that path.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog