Apple Patches Severe Safari Vulnerabilities

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Apple patches 27 bugs in Safari that could have allowed hackers to target users via specially-crafted sites

Tech titan Apple has confirmed patches for a long list of vulnerabilities in its Safari browser, which could have allowed attackers to gain system access on people’s Mac OS X machines.

Many of the flaws were resident in the WebKit browser engine that Safari uses, allowing an outsider to corrupt memory. Safari 6 and 7 are both affected.

Pwn2Own Safari problems fixed

Apple Safari LogoThe list of memory corruption flaws included vulnerabilities used to hack the software in the recent Pwn2Own hacking contest. Various Google researchers and exploit seller  VUPEN were credited for uncovering the problems.

“Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution,” Apple said of the Webkit flaws, in its advisory.

A separate WebKit logic issue, identified by Ian Beer of Google Project Zero, was also patched. “An attacker running arbitrary code in the WebProcess may be able to read arbitrary files despite sandbox restrictions,” Apple warned.

A total of 27 flaws were fixed, across Mac OS X Mountain Lion and Mavericks operating systems. The Safari 7.0.3 and 6.1.3 updates will fix the issues.

It was only in February that Apple was forced to issue fixes across iOS and Mac OS X for a weakness in the operating systems’ handling of SSL encryption.

Are you a security expert? Try our quiz!