Apple Patches Safari to Fix Memory-Corruption Flaws
Apple issued a pair of new Safari browser releases this week to fix memory-corruption vulnerabilities. Safari versions 7.0.6 and 6.16 were released Aug. 13 and provide fixes for seven different common vulnerabilities and exposures (CVE), all affecting the WebKit rendering engine.
WebKit is an open-source browser engine framework that is used within Safari. Until April 2013, WebKit was also the primary engine underneath Google's Chrome. Google has since forked WebKit with its own Blink rendering engine, though there are still many similarities such as common areas of code shared across the two technologies.
Google has been a large contributor to Apple Safari security this year and was credited with the discovery of eight vulnerabilities in WebKit for the Safari 7.0.5 update, released June 30. Google researchers also contributed heavily to the Safari 7.0.3 update in April and Safari 7.04 update in May.
With the new Safari 7.0.6 update, Google is only credited with a single vulnerability (CVE-2014-1387). Apple's security team discovered five of the vulnerabilities (CVE-2014-1384, CVE-2014-1385, CVE-2014-1388, CVE-2014-1389 and CVE-2014-1390). CVE-2014-138 is credited to an anonymous researcher.
While there are seven different vulnerabilities, Apple notes in its advisory that the effect across all of them is the same.
"Visiting a maliciously crafted Website may lead to an unexpected application termination or arbitrary code execution," Apple stated in its advisory.
The fix for all the issues also received a generic explanation from Apple. The company noted that all the issues "were addressed through improved memory handling."
While there are other types of browser security issues, memory corruption is increasingly common across all modern Web browsers. As part of its August Patch Tuesday update, Microsoft delivered fixes for 25 CVEs, most of which were memory-corruption-related flaws.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.