Security News

The big news from Apple today is the release of OS X Mavericks 10.9.2 and Security Update 2014-001, which fixed a serious SSL bug (also called the ‘gotofail’ security hole) that had left millions of users exposed to potential eavesdropping or account hijacking. Alongside the OS X updates, Apple quietly released Safari 6.1.2 and Safari 7.0.2. The Safari updates patch 4 vulnerabilities in WebKit to improve web browser security.

Safari 6.1.2 and Safari 7.0.2 updates are available for: OS X Lion Server 10.7.5, Mac OS X 10.7.5, 10.8.5, and 10.9.1.

These updates address vulnerabilities related to arbitrary code execution. “Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution,” noted Apple on the impact of the bugs.

The following vulnerabilities were fixed in Safari 6.1.2 and Safari 7.0.2:

• CVE-2013-6635 : Use-after-free vulnerability in the editing implementation in Blink, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service or possibly have unspecified other impact via JavaScript code that triggers removal of a node during processing of the DOM tree, related to CompositeEditCommand.cpp and ReplaceSelectionCommand.cpp.
• CVE-2014-1268, CVE-2014-1269, CVE-2014-1270 : Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.

Mac users running OS X Lion systems can install the Safari 6.1.2 update by choosing Apple menu > Software Update (if prompted, enter an admin password). For OS X Mountain Lion users, Safari 6.1.2 may be obtained from the Mac App Store. For OS X Mavericks users, Safari 7.0.2 is included in the OS X Mavericks 10.9.2 update.