Safari 6 addresses numerous security vulnerabilities

Users running OS X 10.7.4 Lion can upgrade using the built-in Software Update tool Alongside the release of OS X 10.8 Mountain Lion earlier today, Apple has published version 6.0 of its Safari web browser for OS X 10.7 Lion, adding a number of new features and closing numerous security holes. According to the company, the major update addresses more than 120 vulnerabilities found in the previous 5.x branch. Among the holes closed are problems in the handling of feed:// URLs could have led to cross-site scripting (XSS) attacks or users' files being sent to a remote server. A bug in the autocomplete system used by Safari, which may have resulted in passwords being automatically inserted even when a site specifies that it shouldn't be, has been fixed, as has an XSS issue caused by opening maliciously crafted files on certain pages.

As usual, the majority of the problems fixed in the update were found in the WebKit browser engine used by Safari. These include cross-site information disclosure bugs, site URL spoofing problems, cross-origin issues, problems related to iFrames and over 100 memory corruption bugs that could be exploited by an attacker, for example, to cause unexpected application termination or arbitrary code execution. For an attack to be successful, a victim must first visit a specially crafted web site. Other WebKit-related bugs include the disclosure of memory contents, escapes from the browser's sandbox, history session handling problems, and an HTTP header injection issue.

Non-security related changes include the addition of a single "Smart Search Field" used for both searching and inputting site addresses, a new Password pane for managing saved site logins, and an Offline Reading List, which allows users to save web pages to a Reading List for when an internet connection isn't available. Support for the "Do Not Track" (DNT) header has also been added; DNT is a developing standard for telling web sites that the browser user wishes to opt-out of online behavioural tracking.

A full list of security fixes can be found in Apple's security advisory. Users running Mac OS X 10.7.4 can upgrade to Safari 6 using the built-in Software update function. All users are advised to upgrade as soon as possible.

Safari 6 is included by default with Apple's OS X 10.8 Mountain Lion operating system, which arrived earlier today as a paid update from the Mac App Store. At the time of writing, the Apple security updates and Support Downloads pages do not yet list Safari 6. Additionally, it's worth noting that a Windows version of Safari 6 is not available and that all references to Safari for Windows have been removed from Apple's main Safari page. As it uses the same engine, the current 5.1.7 release of Safari for Windows is vulnerable to many of the same security problems.

See also:

• APPLE-SA-2012-07-25-1 Safari 6.0, Apple mailing list security advisory.

(crve)