Apple Safari for OS X gets “click-to-own” security holes patched


Apple has just updated its Safari browser.

There’s still no sign of the regularity and frequency in update process that works so well for companies like Microsoft and Adobe, where you know you’ll get an update (or at least be told you aren’t getting one) every month.

Nevertheless, this is the sixth Safari update in 10 months, so Cupertino at least seems to be leaving behind the four-months-with-nothing-at-all approach it followed in the previous three years.

Of course, doing things other people’s way has never been Apple’s style, so I don’t think any of us are actually expecting Apple to become more liturgically precise with security updates.

But it’s good to see a published fix that:

  • Comes reasonably soon (44 days) after the previous one.
  • Is focused on security.
  • Includes a majority of fixes found by Apple’s own researchers.
  • Appears to be fixing recently-found vulnerabilities.

There’s not much detail in Apple’s security bulletin, which is, happily, already listed on the company’s HT1222 security portal page, except to note that the update fixes various Remote Code Execution (RCE) holes:

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

That’s the usual sort of vendor long-hand for drive-by download or click-to-own.

Safari on Lion, Mountain Lion and Mavericks (OS X 10.7, 10.8 and 10.9 respectively) get patches, taking Safari 6 users to version 6.1.6 and Safari 7 users to 7.0.6.

No surprise that Apple’s own “XP headache,” Snow Leopard (OS X 10.6), gets nothing.

What to do?

As with previous Safaris, the updates aren’t available from Apple’s downloads page, where the most recent version is the superseded Safari 5.1.10 from nearly a year ago (12 Sep 2013).

You need to head to Software Update... in the Apple menu. (On OS X Mavericks, this actually takes you to the Updates page of the App Store application.)

In case you’re wondering, on OS X 10.9.4 the update to Safari 7.0.6 comes in at a touch over 50MBytes.