Apple updates OS X Safari – patches a year’s worth of holes, but not on Snow Leopard


In all the excitement over the End of Windows XP and next Tuesday’s Ultimate Update

…we sort of forgot to write about Apple.

In fact, the “other operating system vendor” put out a mid-week update to its Safari browser, including new features and a lot of security fixes.

Two of the security patches stand out especially:

CVE-2014-1300: Ian Beer of Google Project Zero working with HP’s Zero Day Initiative

CVE-2014-1303: KeenTeam working with HP’s Zero Day Initiative

Those are the Safari flaws revealed just under a month ago on Day One and on Day Two at the PWN2OWN 2014 competition in Vancouver, Canada.

The hole found by Google’s security team, CVE-2014-1300, was particularly pernicious.

The Googlers were not only able to escape from Safari and get control, a so-called remote code execution exploit or RCE, but also to:

  • Run a secondary program of their choice. (Naturally, they chose Calculator.)
  • Run their payload as root.
  • Achieve what’s called process continuation, where Safari kept on going after the attack, rather than giving things away by crashing.

So, well done to Apple for getting those PWN2OWN holes closed within a month.

All in all, this update fixes 27 CVEs, of which 26 involve potential RCE, so each of these could have made a drive-by malware attack possible.

Remember that drive-bys are when simply looking at a web site, without clicking any download buttons or answering any “do you want to run this program downloaded from the internet” questions, is enough to get you infected with malware.

The 27th fix is for a sandbox escape, where a process inside the browser could trick the operating system into letting it access files it shouldn’t.

Get the update as soon as you can, if you’re not set up to grab Mac patches automatically: Apple Menu | Software Update...

Was Apple fast enough?

Last time we wrote about OS X updates, we suggested that Apple would do well to adopt an update cycle that was both regular and frequent – just like Patch Tuesday.

Some commenters took exception to the idea.

One objection was that a monthly update cycle for Apple would inevitably and confusingly lead to months without updates, because Apple simply doesn’t have that many holes to fix over the course of a year.

But this update belies that claim, fixing as it does four CVEs from 2013, three of which date back to April 2013.

We also ended up last time with a hearty debate about whether OS X 10.6, nicknamed Snow Leopard, was still supported by Apple.

With no explicit word from Cupertino, we’ll have to use inference, and assume that continued absence of evidence for 10.6 support is evidence of its absence.

This update is for OS X 10.7, 10.8 and 10.9, bumping Safari 6 to 6.1.3 and Safari 7 to 7.0.3.

As fellow writer John Zorabedian said last time, “Poor Snow Leopard (OS X 10.6) is left out in the cold.”

For further information…

If you’re interested in (or inflamed by!) the issues of Windows-against-OS X, the optimal frequency for security patches, and how long operating system versions should be supported, you’ll enjoy this recent Sophos Security Chet Chat podcast.

Listen to Chester Wisniewski and Paul Ducklin give Microsoft-versus-Apple an informative and educational airing:

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)