Apple has updated its Safari browser, dropping a pile of security fixes that patch more than 25 vulnerabilities in the WebKit framework.
Many of the vulnerabilities Apple repaired in Safari can lead to remote code execution, depending upon the attack vector. There are a number of use-after-free vulnerabilities fixed in WebKit, along with some buffer overflows and other memory corruption issues. One of the vulnerabilities, CVE-2014-1289, for example, allows remote code execution.
“WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site,” the vulnerability description says.
That flaw was fixed in iOS and other products earlier this year but Apple just released the fix for Safari on Monday. Along with the 25 memory corruption vulnerabilities the company fixed, it also pushed out a patch for a separate issue in Safari that could enable an attacker to read arbitrary files on a user’s machine.
“An attacker running arbitrary code in the WebProcess may be able to read arbitrary files despite sandbox restrictions. A logic issue existed in the handling of IPC messages from the WebProcess. This issue was addressed through additional validation of IPC messages,” the Apple advisory says.
More than half of the WebKit flaws fixed in Safari 6.1.3 and 7.0.3 were discovered by the Google security team, which isn’t unusual. Google Chrome uses the WebKit framework, too, and the company’s security team is constantly looking for new vulnerabilities in it.