New Safari browser fixes 13 vulnerabilities

By Dave Nixon

Apple has fixed 13 vulnerabilities in Safari with an update that takes the browser to version 3.1. However a security analyst has articulated anxiety about Apple still patching so many bugs in a “dot-release” operating system.

The latest Safari, which Apple also declared “the world’s fastest web browser for Mac and Windows PCs,” fixed the identical 10 flaws in the Mac and Windows editions, and three more in Safari for Windows XP and Windows Vista. The majority of the 13 vulnerabilities were cross-site scripting bugs.

However, Andrew Storms, director of security operations at nCircle Network Security, cautioned that Apple “has to be careful” releasing updates like this.

Merely one of the patched bugs carried Apple’s most ominous warning, that it could result in “arbitrary code execution.” Unlike competitors such as Microsoft, Apple does not use a rating system to note the seriousness of individual vulnerabilities. Most vendors, however, rank flaws that let attackers execute malicious code as “high” or “extremely high.”

Nine of the vulnerabilities - eight on Mac OS X - were classified by Apple as cross-site scripting flaws, which are frequently used by phishers and other identity thieves, but in a number of instances can be used to plant malware, a Trojan horse, conceivably, on a machine.

It’s simple to dismiss cross-site scripting bugs, warned Storms, but doing so overlooks the big picture. “We’ve come to learn that cross-site scripting vulnerabilities are not the worst of the possible scenarios. But you have to understand where researchers are coming from. They’re concentrating on cross-site scripting vulnerabilities, as well as other client-side bugs It’s all browsers these days.”

Apple detailed the details of the 13 bugs in a security advisory that accompanied the Safari 3 .1 update. The updated browser can be downloaded in versions for Mac OS X 10.4 (Tiger), Mac OS X 10.5 (Leopard), Windows XP and Windows Vista from Apple’s website.