Apple Safari 7.0.4 closes 22 holes, including 21 listed under “arbitrary code execution”


Apple just pushed out another Safari update, bumping OS X’s native browser to version 7.0.4.

This got me thinking, “Is it just me, or has Cupertino bumped up the frequency of Safari patches lately?”

After all, Microsoft, Mozilla and Google patch their own browsers both frequently and regularly, and they rarely (OK, never) seem to find themselves short of security improvements to ship.

A few of those are urgent and important fixes for holes that crooks are already exploiting; many are for potentially-exploitable holes that were found and disclosed privately; and some are proactive changes that aim to head future exploits off at the pass.

You can dismiss Microsoft’s Patch Tuesday approach, or Mozilla’s Every 42 days update schedule, if you like.

But there is something comforting in that sort of liturgical attitude, not least because it means you can learn to expect security improvements, and to organise yourself around adopting them regularly and routinely, rather than getting every update as a sort of unexpected surprise.

Call it religiosity if you must, but you can argue that it makes security feel a bit more of a right than a privilege.

So, is it just me? Or has Apple bumped up the frequency, and for that matter, the regularity, of Safari patches lately?

I thought I’d better be objective about it, so I drew myself a little train-line of the Safari versions listed on Apple’s HT1222 Security Update page, with the updates as the train stations:

And I have to say, it’s probably just me.

The recent updates to Safari 7 do give a visual sensation of being neatly spaced and close together.

But the picture doesn’t paint a pattern; at least not yet.

After all, the updates from 5.1.4 to 6.0.2 showed every sign of settling into a routine, but didn’t.

Still, Safari 7.0.4 is a security update and you should grab it as quickly as you can, or at least check that you have it installed.

→ To check for and download updates, go to Apple Menu|​Software Update... and to double-check your Safari version, go to Safari|​About Safari.

There are 22 CVE-numbered security holes patched, 21 of which are annotated by Apple with the words:

Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

In everyday language, that means “possible drive-by install,” also known as “crooks could sneak malware onto your computer without any pop-ups.”

Here’s the list of RCE (remote code execution) CVEs and their discoverers:

It’s good to see Apple itself proactively finding and fixing holes, together with a lot of help from Google, historically a big user of the WebKit core that’s used in many browsers, most notably Safari.

But it’s a bit of a pity to see two CVEs from 2013 only getting fixed now.

However, not all vulnerabilities are practicable, or even possible, to exploit, and the CVEs from 2013 (CVE-2013-2875 and -2927) appear to allow denial of service attacks (deliberate crashes), but not RCE, so it’s no worse that “a bit of a pity.”

By the way, for older versions of OS X still on Safari 6, the fixes are available as Safari 6.1.4.

The OS X versions supported by this update are Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9).

No sign of anything for Snow Leopard (10.6).

As usual, Apple’s silence over exactly what sort of support exists, if any, for OS X 10.6 leaves us unable to tell you why.

It could be that none of these 22 security holes apply to pre-Lion users, or it could be that Snow Leopard is out in the cold as far as security updates go.

In the absence of other evidence, I’d argue that the latter is a safer assumption.