Apple Updates Safari for Security and Lion
Safari 5.1 patches 58 flaws as OSX Lion debuts
Amid all the hype of Apple's new Mac OS X Lion and MacBook Air refresh yesterday, Apple also released a major browser update.
Safari 5.1 is the new version of Apple's browser that is included with OS X Lion and it's also available for download on Windows PCs as well. From a security perspective, the Safari 5.1 update tackles 37 memory flaws inside of the WebKit rendering engine.
"Multiple memory corruption issues existed in WebKit," Apple warned in its security advisory. "Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution."
WebKit is also being patched for an additional seven vulnerabilities including fixes for a libxlst flaw, a URL spoofing vulnerability, DNS prefetching and multiple cross-origin issues.
WebKit isn't the only piece of Safari that was vulnerable to attack. Apple is also patching the ImageIO system for at least four different issues dealing with viewing malicious TIFF images.
Among the other interesting fixes is one for Safari's autofill feature.
"Safari's AutoFill web forms feature filled in non-visible form fields, and the information was accessible by scripts on the site before the user submitted the form," Apple's advisory states. "This issue is addressed by displaying all fields that will be filled, and requiring the user's consent before AutoFill information is available to the form. is also getting updated."
Safari 5.1 also introducing something called the Privacy Pane. The Privacy Pane shows browser users what data sites are storing on the users Mac or PC and makes it easier to delete or block. For Mac OSX Lion users, Apple is going a step further providing full sandboxing of code running in Safari.
"If a website contains malicious code intended to capture personal data or take control of your computer, sandboxing automatically blocks it to keep your computer and your information safe," Apple's What's New page for Safari states.
Safari 5.1 isn't just about security related updates and features, it also contains a number of new non-security features as well. One of them is the Safari Reading List, which has been billed by some as an Instapaper killer. Instapaper is an online service that lets users save websites to read later, which is what the new Safari Reading List provides.
"Whenever you come across something interesting on the web, save it to Reading List," Apple's What's New page for Safari states. "Then when you have more time to read articles, watch videos, or shop, your link-filled Reading List is ready and waiting."
April 15, 2011
Apple plugs PWN2OWN flaws and secures all of its platforms.