Apple updates Safari on OS X, fixes critical flaws

No sooner had we reported that Microsoft will adopt a “rolling update” model for Windows 10, leaving Update Tuesday behind as a remnant of the past…

…than we received notice of Apple’s latest “rolling update” for its Safari browser.

Safari goes to version 8.0.6 on OS X Yosemite (10.10), version 7.1.6 on Mavericks (10.9), and Safari 6.2.6 on Mountain Lion (10.8).

→ Anyone still clinging to the stubborn belief forlorn hope that Apple still secretly supports OS X Snow Leopard (10.6), we’re once again sorry to remind you of the definition of for’lorn [adj.]: (of an endeavour) unlikely to succeed or be fulfilled; hopeless. Don’t shout at us, though, we’re just the messengers.

Apple has never had a regular process for updates, preferring to ship them when they’re good and ready, occasionally making you wait for months after everyone else has patched, but sometimes getting important fixes out “very soon.”

Ironically, for all that Apple’s updates typically arrive to a schedule best described with the words “as and when,” both April and March saw updates at the start of the second week of March and April.

Indeed, our own Chester Wisniewski jested that Apple seemed to be sliding into Monthly Tuesdayism just as Microsoft was preparing to easing out it.

Of course, Apple also put out updates in the middle of March, basically shipping some fixes to fix its most recent fixes, as well as an update to Safari that, like this latest one, came out independently.

What’s fixed?

Safari version x.x.6 deals with two main flaws:

Memory corruption (loosely put, buffer overflows) that could lead to Remote Code Execution (RCE).

RCE means that a crook can, in theory, embed executable code in a web page and then trick your browser into running it without any safeguards or warnings.

Usually, executable code in web content would just be treated by your browser as meaningless binary data – gobbledegook, in a word.

But if the browser’s flow of program execution can be misdirected into what’s supposed to be data so it runs as if it were code, then all browser protection, download warnings and “are you sure” dialogs are sneakily avoided.

That’s known as drive-by malware, because merely visiting the booby-trapped web page is enough to infect your computer.

A security bypass that could give a remote web page access to locally stored files.

The security of your web browsing is heavily dependent on a concept known as the same-origin policy.

If you choose to load a web page from your local hard disk, that page can not only link to other locally-stored files but also access information that is loaded from those files.

That works because the original page and the linked page have the same origin: your local disk.

But even though remote web pages can link to third party pages (indeed, that’s the whole idea of the web), and get your browser to suck in and display that third party content, the original pages should never be able to find out anything about what came back in those third party pages.

That isn’t supposed to work because they have different origins.

Without the same-origin policy, one web page could read cookies (e.g. login cookies) set by another website, or steal private content (e.g. bank balances) displayed in another page  or, in the most extreme case, read data from your local files.

What to do?

Simple: head to Apple Menu | App Store... | Updates and make sure you have the latest version of Safari.

To check your Safari version, run the browser and use Safari | About Safari, or open a Finder window and go to Applications|

For more information from the horse’s mouth, visit Apple’s Security Updates landing page (which has been re-numbered from HT1222 to HT20122), or the Safari x.x.6 update page itself (HT204826).

NB. There is no corresponding update for iOS, even though it too contains Safari and its underlying WebKit engine.