Apple released an update to Safari yesterday patching 22 vulnerabilities in the WebKit browser engine that allow code execution or a browser crash.
Safari 7.0.4 is available for OS X Mavericks 10.9 and Safari 6.1.4 for OS X Mountain Lion 10.8. The vulnerabilities could be exploited if the user was tricked into visiting a malicious website and fell victim to a drive-by download.
“Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling,” Apple said in its advisory.
Apple also described a second security issue in the way WebKit handles Unicode characters in URLs; Apple said a malicious site could send messages that would circumvent the receiver’s origin check, causing the browser to crash.
“A maliciously crafted URL could have led to sending an incorrect postMessage origin. This issue was addressed through improved encoding/decoding,” Apple said.
Many of the WebKit code execution vulnerabilities were discovered by the Google Chrome Security Team; Google used WebKit in the Chrome browser until version 27. Since then, Chrome relies on Blink.
While most of bugs are fresh, two patches are from vulnerabilities reported in 2013. CVE-2013-2875 addresses a remote denial-of-service bug in Blink, while CVE-2013-2927 is a use-after-free vulnerability in the Blink HTMLFormElement function used in Chrome before version 30. It too allows attackers to remotely cause a denial of service condition on the browser.
Below is a list of the CVEs addressed in this update, and reporting credit
- CVE-2013-2875 : miaubiz
- CVE-2013-2927 : cloudfuzzer
- CVE-2014-1323 : banty
- CVE-2014-1324 : Google Chrome Security Team
- CVE-2014-1326 : Apple
- CVE-2014-1327 : Google Chrome Security Team, Apple
- CVE-2014-1329 : Google Chrome Security Team
- CVE-2014-1330 : Google Chrome Security Team
- CVE-2014-1331 : cloudfuzzer
- CVE-2014-1333 : Google Chrome Security Team
- CVE-2014-1334 : Apple
- CVE-2014-1335 : Google Chrome Security Team
- CVE-2014-1336 : Apple
- CVE-2014-1337 : Apple
- CVE-2014-1338 : Google Chrome Security Team
- CVE-2014-1339 : Atte Kettunen of OUSPG
- CVE-2014-1341 : Google Chrome Security Team
- CVE-2014-1342 : Apple
- CVE-2014-1343 : Google Chrome Security Team
- CVE-2014-1344 : Ian Beer of Google Project Zero
- CVE-2014-1731 : an anonymous member of the Blink development community
- CVE-2014-1346 : Erling Ellingsen of Facebook
In April, Apple patched 25 Safari bugs, all of them in the WebKit framework as well, including a handful of remote code execution flaws.