Apple issues Safari 7.0.4 and 6.1.4 updates to fix WebKit vulnerabilities

Posted:
in Mac Software edited May 2014
Apple on Wednesday released new versions of Safari for OS X 10.9 Mavericks and OS X 10.8 Mountain Lion, patching two bugs related to WebKit that could allow malicious sites to run code on a user's computer.



According to Apple, Safari 7.0.4 for OS X 10.9 Mavericks and Safari 6.1.4 for OS X 10.8 Mountain Lion both address a WebKit flaw in which arbitrary code could be executed on a host computer when visiting a malicious website. The same issue can also cause Safari to unexpectedly crash.

A second problem with WebKit's handling of unicode characters in URLs that allows a maliciously crafted URL to send out false postMessage origins, thus overcoming the receiver's origin check. The issues was resolved through enhanced encoding and decoding.

The latest Safari for OS X versions come a month and a half after the previous Safari 7.0.3 and 6.1.3 updates were released in early April. The older iterations brought granular control over push notifications and support for new top-level domain names like ".cab" and ".clothing."

Safari 7.0.4 and 6.1.4 can be downloaded for free via Software Update.

Comments

  • Reply 1 of 5
    mpantonempantone Posts: 1,337member
    The Safari 6.1.4 update (54.4MB) is also available for OS X 10.7 Lion.
  • Reply 2 of 5
    magic_almagic_al Posts: 325member
    Since Apple apparently doesn't do security updates for Mac OS X 10.6 Snow Leopard any more, is this flaw present in that version of WebKit or not?
  • Reply 3 of 5
    blah64blah64 Posts: 851member
    Quote:
    Originally Posted by Magic_Al View Post
    Since Apple apparently doesn't do security updates for Mac OS X 10.6 Snow Leopard any more, is this flaw present in that version of WebKit or not?


    Great question. Can anyone answer this??

    Actually, I don't remember what originally came with 10.6, perhaps it was Safari 4. But can anyone at least answer if the flaw is in the version just prior to what's being discussed, i.e. Safari 5 (of which I think 5.1.2 is the latest), which runs perfectly on 10.6

    What manufacturers should do for stuff like this is have a page that you can load that shows whether you're vulnerable or not, like you sometimes see security researchers do.
  • Reply 4 of 5
    haggarhaggar Posts: 1,568member

    In Safari 7, I use the Manage Website Settings to configure certain sites to block Flash player while setting the default to allow.  But I occasionally find that sites which were set to Block have either changed to Allow, or have been removed from the list.  Why is it doing this?  Do I have to reconfigure the sites every time  there is a Safari or Flash plugin update?

  • Reply 5 of 5
    benjamin frostbenjamin frost Posts: 7,203member
    Haven't updated Safari yet, but it's possible that it will be snappier.
Sign In or Register to comment.