The Cupertino, California company seeded updates for both Safari 6 and Safari 7 yesterday, promoting the former to version 6.1.3 and the latter to 7.0.3.
Safari 6.x runs on OS X 10.7, aka Lion, and OS X 10.8, better known as Mountain Lion. Safari 7.x runs on OS X 10.9, or Mavericks.
Apple patched 27 vulnerabilities in Safari 6 and Safari 7, all in WebKit, the open-source browser engine that powers Safari, and all but one considered critical in that they could allow, the company said, “arbitrary code execution”, Apple’s terminology for the most serious bugs.
Among the 27 was the one used by ‘Keen Team’, a Shanghai-based group of security researchers who hacked Safari on the second day of this year’s Pwn2Own, held 12 and 13 March at the CanSecWest security conference in Vancouver, British Columbia.
Of the others, more than half were reported by the Google Chrome security team, which still works on WebKit, even though Google’s browser has switched to a different fork, dubbed ‘Blink’, for its foundation.
Another was attributed to French vulnerability seller Vupen, which also sent a team to Pwn2Own. Vupen hacked several targets, including Chrome, Adobe Reader and Adobe Flash, and Microsoft’s Internet Explorer, taking home US$400,000 of the total contest payout of US$850,000. The bug patched in WebKit – and thus in Safari – was one of several used by Vupen to exploit Chrome.
Tuesday’s Safari update was the second since December that omitted patches for Safari 5.1.10, Apple’s most-current browser for OS X 10.6 Snow Leopard, the 2009 operating system that Apple has stopped supporting with security fixes.
Apple delivered the final security update for Snow Leopard in September 2013.
Last month, Apple made it even plainer that it had stopped supporting Snow Leopard, patching 33 vulnerabilities in Lion, Mountain Lion and Mavericks, but fixing none of the same flaws in Snow Leopard. Many OS X 10.6 users refused to believe that Apple had stopped fixing the operating system, and in comments appended to a February story in Computerworld argued that the flaws didn’t exist in Snow Leopard and because Apple continues to sell Snow Leopard on its e-store it must still be supporting the five-year-old OS.
In fact, many of the vulnerabilities patched last month in other editions do exist in Snow Leopard: Apple fixed numerous bugs in the core components of those versions – including Apple’s own QuickTime and open-source bits like Apache and PHP – that are part of every Mac operating system, Snow Leopard included.
Apple does sell Snow Leopard from its online store – the price is $24.99 – but as an interim step for customers running even older editions who can, and want to, upgrade to something newer, such as Lion or Mountain Lion. Snow Leopard is offered by Apple because it’s the oldest edition that provides access to the Mac App Store, the sole distribution outlet for all later OS X upgrades, including Lion, Mountain Lion and Mavericks, which are available only as downloads.
Also part of Tuesday’s update for Safari 7 were several non-security improvements and enhancements, including a new preference setting that lets users turn off website notifications and a fix for a glitch where the browser loaded a page or generated search results before the user pressed the return key.
Safari 7.0.3 and 6.1.3 can be obtained by selecting ‘Software Update…’ from the Apple menu, or by opening the Mac App Store application and clicking the Update icon at the top right.
by Gregg Keizer, Computerworld