Multiple critical bugs in Apple’s Safari web browser are now patched, thanks to security updates for OS X Mountain Lion, Mavericks and Yosemite.
A new version of Safari’s browser released on Wednesday, fixes a handful of intrusive bugs that could allow an attacker to take control of a system using a malicious website.
The new version of the browser comes as Safari 8.0.6 for OS X Mountain Lion, Safari 7.1.6 for Mavericks and Safari 6.2.6 for Yosemite. The updates are being rolled out a month after Apple released its previous batch of security fixes for the browser.
The first set of flaws since the previous update were discovered by Apple, noting that the first bug affected its browser engine Webkit due to three memory corruption issues that can cause the browser to crash.
“Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling,” Apple said on its support page.
The same squashed bug, CVE-2015-1152 allowed an arbitrary code execution or unexpected application termination if a user mistakenly visited a malicious website. The first patch fixes this vulnerability.
The second patch targets a vulnerability specifically located in Webkit History that could allow malicious hackers to access contents on the file-system through an unspecified state management issue.
Apple described this bug as “a state management issue existed in Safari that allowed unprivileged origins to access contents on the file-system. This issue was addressed through improved state management. “
This essentially means remote access to the file system, which makes for a scary thought.
Another bug, CVE-2015-1155, was found in WebKit page loading and reported by Zachary Durber of Moodle. This would allow an attacker to spoof the user interface of Safari after clicking a link, which then takes the browser to a malicious website which fostered phishing.
“An issue existed in the handling of the ‘rel attribute’ in anchor elements. Target objects could get unauthorized access to link objects. This issue was addressed through improved link type adherence,” Apple noted.
Users who are likely to forget about patching their browsers can set their systems to automatically apply Apple’s Safari updates. It is also advised to update the browsers altogether, as research last year showed that despite auto-updates being available, many Safari and Internet Explorer users were running out-of-date versions of the software.
If you’re a Mac user, it’s advisable to keep an eye out for the updates.
