​Apple patches multiple security bugs in Safari

Apple has fixed up versions of its browser for OS X Mountain Lion, Mavericks, and Yosemite.
Written by Liam Tung, Contributing Writer on

Apple has released new versions of Safari with security updates for OS X Mountain Lion, Mavericks, and Yosemite.

Mac users should keep an eye out for the updates, released on Wednesday, which fix a handful of bugs that could allow an attacker to take control of a system using a malicious website.

The versions released include Safari 8.0.6, Safari 7.1.6, and Safari 6.2.6. The updates are appearing around one month after Apple released its last lot of security fixes for the browser, alongside a monster security update for OS X Mountain Lion, Mavericks, and Yosemite. The last Safari updates for Yosemite shipped with version v10.10.3 in April.

The first set of new flaws in Safari were discovered by Apple and affect its browser engine WebKit in Safari 8.0.5, Safari 7.1.5, and Safari 6.2.5 due to three memory corruption issues that can be exploited through a maliciously crafted website, and can cause the browser to crash or execute arbitrary code.

"Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling," Apple said on its support page.

A second bug discovered by Rapid7 researcher Joe Vennix affects WebKit History and may allow an attacker to compromise user information on the filesystem via a maliciously crafted website.

"A state management issue existed in Safari that allowed unprivileged origins to access contents on the filesystem. This issue was addressed through improved state management," said Apple.

A fifth bug was found in WebKitPage Loading and reported by Zachary Durber of Moodle, and would allow an attacker to spoof the user interface of Safari after clicking a link that takes the browser to a malicious website.

"An issue existed in the handling of the rel attribute in anchor elements. Target objects could get unauthorized access to link objects. This issue was addressed through improved link type adherence," Apple noted.

People likely to forget about patching their browsers can set their systems to automatically apply Apple's Safari updates. Research last year showed that despite auto-updates being available, many people, in particular Safari and Internet Explorer users, were running out-of-date versions of software.

And, while there might be fewer malware samples out there for Macs compared to Windows, there are enough ad-injectors for Safari that Apple maintains a dedicated support page explaining how to remove them.

Read more on Apple security

Editorial standards