The Safari 7.0.4 and 6.1.4 updates debuted on May 21, providing users with 21 security updates. All 21 of the security issues impact Safari’s WebKit rendering engine and are various forms of memory corruption-related issues. The new Safari updates follow Apple’s Safari 7.0.3 release in April, which also had a strong Google influence.
Among the fixed issues are a pair that date back to 2013: CVE-2013-2875 and CVE-2013-2927. The CVE-2013-2875 vulnerability was first patched by Google in its Chrome 28 release back in July 2013. The CVE-2013-2927 vulnerability was first patched by Google in October 2013 with the Chrome 30 release.
Google’s Chrome and Apple Safari share a common lineage. Until April 2013, Chrome also used WebKit and has since forked it, with its own Blink rendering engine. Blink, however, still relies on and leverages many aspects of WebKit, which is why vulnerabilities found in Chrome also might still impact Safari.
I think it’s great that Google’s security research effort can still help Apple’s Safari users, but I don’t think it’s great that Apple leaves its users at risk for as much as 10 months longer (in the case of CVE-2013-2875) than Google.
That said, there is no indication that I’m aware of that Safari users have ever been attacked with the older vulnerabilities, but that doesn’t mean that Apple is off the hook either. Security is often a race against time, and it’s a race that Apple needs to do a better job at if it wants to truly keep its users safe.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.