Security Watch

Keeping Track of patches and hacks in the IT security world.

Apple Issues Safari Security Update

Apple fixed 27 vulnerabilities in Safari for Mac OS X and Windows today. All of the vulnerabilities exist in the open-source Webkit engine. In addition, nearly all of them can be exploited to execute code remotely on Macs or Windows PCs. Among the vulnerabilities is a problem due to Safari using a

Apple fixed 27 vulnerabilities in Safari for Mac OS X and Windows today.

All of the vulnerabilities exist in the open-source Webkit engine. In addition, nearly all of them can be exploited to execute code remotely on Macs or Windows PCs.

Among the vulnerabilities is a problem due to Safari using a "predictable algorithm" to generate random numbers for JavaScript applications. This may allow a Website to track a particular Safari session without using cookies, hidden form elements, IP addresses or other techniques, Apple warned. The update addresses the issues by using a stronger random number generator.

Several of them can be exploited through drive-by attacks on malicious sites, Apple noted in the advisory. For example, an integer overflow exists in Webkit's handling of Text objects, and could be exploited via a maliciously crafted Website to cause an application crash or permit code execution. The issue was fixed through improved bounds checking, Apple said.

More information about the update can be found here.