Apple has updated its Safari browser with multiple security fixes, releasing Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7 for Yosemite, Mavericks, and Mountain Lion. These updates mitigate four vulnerabilities (CVEs), including privacy flaws, an issue with PDF-embedded links leading to information leakage, and another bug related to arbitrary code execution.
These updates apply to Safari users on OS X Mountain Lion 10.8.5, OS X Mavericks 10.9.5, and OS X Yosemite 10.10.3.
Apple’s Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7 security updates address the following vulnerabilities:
- CVE-2015-3727 : A maliciously crafted website can access the WebSQL databases of other websites. An issue existed in the authorization checks for renaming WebSQL tables. This could have allowed a maliciously crafted website to access databases belonging to other websites. The issue was addressed with improved authorization checks.
- CVE-2015-3658 : Visiting a maliciously crafted website may lead to account account takeover. An issue existed where Safari would preserve the Origin request header for cross-origin redirects, allowing malicious websites to circumvent CSRF protections. This issue was addressed through improved handling of redirects.
- CVE-2015-3659 : Visiting a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution. An insufficient comparison issue existed in SQLite authorizer which allowed invocation of arbitrary SQL functions. This issue was addressed with improved authorization checks.
Mac users can install the updated Safari web browser by choosing Apple menu > Software Update (if prompted, enter an admin password), or the updates may be obtained from the Mac App Store.