Apple patches Safari for fourth month in a row

By

The release of Safari 4.0.3 -- the fifth browser update of the year from Apple -- fixes six vulnerabilities.

Three of the flaws -- involving issues in CoreGraphics, ImageIO and WebKit -- could be exploited to execute arbitrary code, according to an Apple advisory.

Perhaps the most unique bug involves a problem with Safari's new Top Sites feature, which provides an "at-a-glance view" of a user's favorite sites, the advisory said. An attacker might be able to exploit the flaw by adding a malicious site to this list, permitting potential phishing scams. Apple fixed the issue by only permitting websites that a user manually visits to be included in the list.

Andrew Storms, director of security operations at vulnerability management firm nCircle, suggested that, considering the number of security updates from Apple this year, the company may want to consider setting a patching schedule.

Vendors such as Microsoft, Oracle and Adobe already do this.

So far this year, Apple has delivered five Safari updates and three Mac OS X updates, the most recent on August 5. Safari has been patched each month since May. Tuesday's release arrived on the same day that Microsoft distributed nine patches to resolve nineteen flaws.

"This release makes the contrast between the security processes of Microsoft and Apple even more stark," Storms said. "Microsoft's release was planned, but Apple's updates seem to arrive at a haphazard pace."


See original article on scmagazineus.com

Apple patches Safari for fourth month in a row
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

CBA using facial recognition logins to verify disputed payments

CBA using facial recognition logins to verify disputed payments

Researchers demo AI-crippling GPUHammer attack

Researchers demo AI-crippling GPUHammer attack

Qantas obtains court order to prevent third-party access to stolen data

Qantas obtains court order to prevent third-party access to stolen data

Google Gemini for Workspace vulnerable to prompt injection attacks

Google Gemini for Workspace vulnerable to prompt injection attacks

Log In

  |  Forgot your password?