Apple Pulls Latest Round of Safari Patches

Apple has pulled a batch of security updates for Safari that it initially released yesterday.

Apple has pulled a batch of security updates for Safari that it initially released yesterday. The updates were set to address several usability and security issues in the browser including some that could have led to code execution and data exfiltration.

While notes for the patches are still published in the security section of Apple’s support site, the actual update has disappeared from Apple’s Software Update mechanism, suggesting that the fixes were not ready for the public.

Whenever it’s made public, the update will affect three builds of Safari: 6.2.1, 7.1.1, and 8.0.1, on Lion, Mavericks, and Yosemite OSX, respectively.

Ultimately three Webkit issues will be fixed with the update.

The first fixes an issue with style sheets that are loaded cross-origin, something that could lead to data exfiltration if a CSS file was loaded by a Scalable Vector Graphics (SVG) in an img element. In the update the browser fine-tunes how external CSS files are blocked. Apple credits Rennie deGraaf of iSEC Partners for digging up this particular bug.

The second fix remedies an issue discovered by Jordan Milne, a Canadian web security consultant, where any website that frames malicious content could have triggered UI spoofing.

The last issue could have led to unexpected application termination or arbitrary code execution if a user visited a malicious website. This issue, due to several memory corruption issues, 11 CVEs total, was fixed by improved memory handling.

Before it was pulled, the update was also said to have fixed an issue that prevented history from being synced across devices if iCloud was turned off, and prevented saved passwords from being auto-filled. The update is also said to enhance Safari’s WebGL graphics on Retina displays.

While Apple has been known pull back updates from time to time, it’s unclear when exactly the patches will resurface in Software Update. In late September, shortly after it released the iPhone 6, the company pulled back an iOS update (8.0.1) that wound up disabling cellphone service and TouchID on a number of iPhones. Apple eventually pushed an update to the update the next day and later blamed the snag on software distribution issues.

Email requests for comment to Apple were not immediately returned on Thursday.

Suggested articles