Apple updated its Mac OS X Mavericks platform yesterday with a number of security fixes for the Safari browser and WebKit layout engine.
The operating system update will move users to OS X Mavericks version 10.9.1. It appears that the broad operating system release is merely a repackaging of a bulletin fixing a single vulnerability in Apple’s Safari browser and a second bulletin addressing eight vulnerabilities in the Cupertino, California-based company’s WebKit rendering engine.
The Safari patch fixes CVE-2013-5227, which was reported to Apple by Niklas Malmgren, a front-end developer for the mobile payments firm Klarna AB. The vulnerability relates to a bug in Safari’s autofill feature that was pushing usernames and passwords into a subframe from a domain separate from the main frame containing the field where such information should have been entered. In other words, the Safari browser was leaking user credentials to an unexpected site with its autofill feature. Apple fixed the problem by improving the browser’s origin tracking system.
The WebKit bulletin resolves CVE-2013-2909, reported by Atte Kettunen of the Oulu University Secure Programming Group, CVE-2013-5196, 5917, and 5225, reported by the Google Chrome security team, CVE-2013-5228, reported by the Keen Team working alongside H-P’s Zero-Day Initiative, and CVE-2013-5195,5198, and 5199, each of which was reported internally by Apple. The vulnerabilities represent a series of memory corruption flaws in the WebKit layout engine. These vulnerabilities can be exploited on unpatched machines if users visit a maliciously crafted site, which can in turn lead to unexpected application termination or arbitrary code execution. They resolved these issues by implementing better memory handling.