Apple Patches Safari for Flaws in WebKit Rendering Engine

Even though Google now uses its own Blink Web rendering engine, it is still heavily contributing to Apple WebKit security.


Apple updated its Safari Web browser this week, thanks in no small part to the efforts of Google. The Safari 7.0.3 and 6.1.3 browsers were both released by Apple on April 1 for Mac OS X users.

In total, the browser updates provide fixes for 27 vulnerabilities, with the Google Chrome Security Team reporting 16 of them. All the vulnerabilities fixed in the Safari update are within the WebKit rendering engine.

Until April 2013, the open-source WebKit was also the rendering engine used by Google to power its Chrome Web browser. Google decided a year ago to fork WebKit into its own rendering engine, known as Blink. At the time, there was some speculation that Google's forking the WebKit would potentially leave Safari security at risk. Google has long been a key contributor of research and bug fixes to WebKit, benefiting both Safari and Chrome users.

As it turns out, even though Blink is a code fork, it still relies on elements of the WebKit engine and Google still has a need to patch those elements, which also impacts Safari.

All the WebKit issues reported in the Safari update are memory-related issues.

"Multiple memory corruption issues existed in WebKit," Apple's security advisory states. "These issues were addressed through improved memory handling."

Though Google security researchers are well-represented on the list of people who provided bugs to the new Safari update, there are others as well. Among them are researchers who found and publicly demonstrated flaws in Safari at the Pwn2own 2014 event in March that was sponsored by Hewlett-Packard's Zero Day Initiative (ZDI)

During the Pwn2own event, the Keen Team security research group leveraged a memory heap overflow, along with a sandbox bypass, to exploit Apple's Web browser. For their efforts, HP awarded the Keen Team a cash reward of $65,000.

Google researchers competing in the Pwn4fun component of the Pwn2own event were also able to successfully publicly demonstrate a Safari flaw. For the Google disclosure, HP donated $32,500 to the Canadian Red Cross.

Additionally, a flaw that was publicly demonstrated against Google's Chrome Pwn2own browser is being patched inside the Safari 7.0.3 and 6.1.3 browsers. Security firm Vupen, which demonstrated CVE-2014-1713 at Pwn2own, was awarded $100,000 from HP for the flaw.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.