Apple yesterday released an update for Safari 5.0.6 and 5.1 which includes a whole battery of security fixes.
If you calculate the magnitude of a security update by the count of CVE (Common Vulnerabilities and Exposures) numbers listed, this one scores a 57.
For the full security story, see Apple’s Knowledgebase article HT4808. For a summary in list form, see below.
Note that Apple’s advice about the update doesn’t make it clear whether Lion users need the update or not. The HT4808 article says that “Safari 5.1 is included with OS X Lion” but also lists “Safari 5.1 (OS X Lion)”, along with earlier OS X versions, in the Products Affected section.
Whether this means that there’s now a newer build of Safari 5.1 for Lion available than is included in the AppStore download or not isn’t clear.
I don’t have OS X 10.7 yet (I’m unwilling to buy it until it is available over the counter for cash), but on my trusty 10.6.8 system, the latest Safari 5.1 is labelled as build 6534.50. I assume if that’s what you have, you’re up-to-date.
(Update: Apparently, the Safari shipped with Lion is up-to-date, and the Safari 5.1 for OS X 10.7 build number is 7534.48.3.)
Of the 57 CVE entries patched, those who reported or sold the relevant vulnerabilities claimed that: 46 might lead to remote code execution; four to information disclosure; three to the spoofing of addresses or content; three to cross-site scripting; and one to the mismanagement of SSL certificates.
The good news is that the update also offers some good, old-fashioned improvements and a few new features, including one called the Reading List, which lets you easily add webpages and links into a reading list to look at later. The non-security-related features in the update are in Apple article HT4611.
Once again, to Mac fanbuoys (and gurls) who insist that Macs are vulnerable only to the sort of malware infection which relies on the user agreeing to a sequence of dubious-looking installation steps: look at all the entries in the list below labelled EXEC. These denote possible remote code execution vulnerabilities in the Safari product.
And a remote code execution exploit means you’re at risk of a drive-by install. That’s where you run untrusted program code silenty, merely by visiting a maliciously-crafted web page.
To add some balance here, let me observe that some of those who traffick in vulnerabilities love to assign the tag “possible remote code execution” to just about any bug by which they are able to crash the victim program with some degree of finesse.
But “possible remote code execution” doesn’t inevitably mean that a known, reliable exploit exists, or that one is even likely. Some horrendous-looking vulnerabilities turn out to be much harder to exploit in the real world than you might at first think, so “possible” may sometimes mean little more than “not inconceivable.”
Nevertheless, this sort of bug is a fault which is potentially dangerous, and needs to be fixed as soon as possible. So get your Safari 5.0.6 and 5.1 updates today.
(And if you aren’t yet running a full-function anti-virus on your Mac – the one built into OS X gives only a sliver of protection – please take advantage of our free Sophos Anti-Virus for Mac Home Edition. Yes, it supports Lion.)
Here is the summary of the security fixes in this latest Safari update:
SAFARI 5.1 AND 5.0.6 - LIST OF SECURITY SECURITY UPDATES W: Windows only affected Wm: Windows affected, Mac previously patched WM: Windows and Mac affected XSS: Cross site scripting (3 of 57) EXEC: Remote code execution (46 of 57) CERT: Certificate trust flaw (1 of 57) LEAK: Information disclosure (4 of 57) SPOOF: Wrong domain lookup, address or content display (3 of 57) Buggy component Pl Vuln CVE reference --------------- -- ---- ------------- CFNetwork W XSS CVE-2010-1420 CFNetwork W EXEC CVE-2010-1383 CFNetwork W CERT CVE-2011-0214 ColorSync Wm EXEC CVE-2011-0200 CoreFoundation Wm EXEC CVE-2011-0201 CoreGraphics Wm EXEC CVE-2011-0202 IC for Unicode Wm EXEC CVE-2011-0206 ImageIO W EXEC CVE-2011-0241 ImageIO W EXEC CVE-2011-0215 ImageIO Wm EXEC CVE-2011-0204 libxslt Wm LEAK CVE-2011-0195 libxml W EXEC CVE-2011-0216 Safari WM LEAK CVE-2011-0217 Safari WM SPOOF CVE-2011-0219 WebKit WM EXEC CVE-2010-1823 WebKit WM EXEC CVE-2011-0164 WebKit WM EXEC CVE-2011-0218 WebKit WM EXEC CVE-2011-0221 WebKit WM EXEC CVE-2011-0222 WebKit WM EXEC CVE-2011-0223 WebKit WM EXEC CVE-2011-0225 WebKit WM EXEC CVE-2011-0232 WebKit WM EXEC CVE-2011-0233 WebKit WM EXEC CVE-2011-0234 WebKit WM EXEC CVE-2011-0235 WebKit WM EXEC CVE-2011-0237 WebKit WM EXEC CVE-2011-0238 WebKit WM EXEC CVE-2011-0240 WebKit WM EXEC CVE-2011-0253 WebKit WM EXEC CVE-2011-0254 WebKit WM EXEC CVE-2011-0255 WebKit WM EXEC CVE-2011-0981 WebKit WM EXEC CVE-2011-0983 WebKit WM EXEC CVE-2011-1109 WebKit WM EXEC CVE-2011-1114 WebKit WM EXEC CVE-2011-1115 WebKit WM EXEC CVE-2011-1117 WebKit WM EXEC CVE-2011-1121 WebKit WM EXEC CVE-2011-1188 WebKit WM EXEC CVE-2011-1203 WebKit WM EXEC CVE-2011-1204 WebKit WM EXEC CVE-2011-1288 WebKit WM EXEC CVE-2011-1293 WebKit WM EXEC CVE-2011-1296 WebKit WM EXEC CVE-2011-1449 WebKit WM EXEC CVE-2011-1451 WebKit WM EXEC CVE-2011-1453 WebKit WM EXEC CVE-2011-1457 WebKit WM EXEC CVE-2011-1462 WebKit WM EXEC CVE-2011-1797 WebKit WM EXEC CVE-2011-1774 WebKit WM LEAK CVE-2011-1190 WebKit WM XSS CVE-2011-0242 WebKit WM XSS CVE-2011-1295 WebKit WM SPOOF CVE-2011-1107 WebKit WM LEAK CVE-2011-0244 WebKit WM SPOOF CVE-2010-3829