Apple blasts 22 WebKit bugs with Safari update
According to Apple's security advisory, All of the 21 security flaws address the iOS browser vulnerabilities proliferating through the Safari’s open-source Webkit rendering engine. This webkit vulnerability allows a malicious website to execute an arbitrary code on the host computer or unexpected termination of an application in an effort to compromise users’ confidential information.
“Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution,” Apple warned in the advisory.
Security updates tackle a number of flaws including:
- CVE-2013-2875
- CVE-2013-2927
- CVE-2014-1323
- CVE-2014-1324
- CVE-2014-1326
- CVE-2014-1327
- CVE-2014-1329
- CVE-2014-1330
- CVE-2014-1331
- CVE-2014-1333
- CVE-2014-1334
- CVE-2014-1335
- CVE-2014-1336
- CVE-2014-1337
- CVE-2014-1338
- CVE-2014-1339
- CVE-2014-1341
- CVE-2014-1342
- CVE-2014-1343
- CVE-2014-1344
- CVE-2014-1731
Most of the vulnerabilities are found by the Apple together with a lot of help from Google Chrome Team of researchers.
This security issues have been attributed to various forms of memory corruption-related issues within the Safari’s Webkit rendering engine and has been patched in the current Safari updates through improved memory handling.
[adsense size='1']
Yet another security issue with Safari’s WebKit is the handling of unicode characters in URLs. The issue has been addressed through improved encoding and decoding. If the critical security vulnerabilities remain unaddressable, it could allow a maliciously crafted URL to send out false postMessage anonymously to the recipient, thus controlling the receiver's origin check.
“A malicious site [could] send messages to a connected frame or window in a way that might circumvent the receiver's origin check,” the site stated.
Apple is more concerned about the security of its users and protects its users’ privacy, so it didn't disclosed or confirmed any of the security flaws until it thoroughly investigated and identified the vulnerabilities along with the release of necessary patches.
“For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website,” reads the advisory.
The released patches are important to update and if not, could leave your system exposed to arbitrary code execution attacks, whereby giving the remote access of the system to an unauthorised third party. So, the users are advised to install the new updates via Mac OS X Software Update feature or manually download the installer from Apple Support website.
Gloss