Apple patches record number of Safari 5 bugs with monster update

Browser update fixes 83 security flaws, most in WebKit engine; boosts JavaScript performance on OS X Lion

Apple yesterday updated Safari to version 5.1.4, patching 83 vulnerabilities and boosting JavaScript performance on OS X Lion.

The patch count was a record for Safari 5, which Apple released in June 2010, three months before launching OS X Snow Leopard.

[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Of the 83 vulnerabilities, Apple tacitly classified 72 as critical.

Although Apple does not formally rate vulnerabilities using a threat scale like Microsoft, the phrase "may lead to ... arbitrary code execution" in its security advisories describes the type of bugs that attackers could theoretically use to compromise a Mac and plant malware on the machine.

None of the vulnerabilities have been used in actual attacks, however.

Monday's update easily beat Safari 5's former record of 62 patches , set in March 2011. Apple issued other large collections for its browser last year, including a 58-patch upgrade in July and one of 43 in October.

Seventy-two of the 83 flaws were patched in WebKit, the open-source browser engine that powers both Safari and Google's Chrome. Apple tagged them all as memory corruption bugs that could be triggered simply by visiting a malicious site.

More than half of the WebKit vulnerabilities were reported by Chrome's security team or by independent researchers who submit bugs to Google's bounty program.

The same WebKit vulnerabilities had been patched previously by Apple, both in the iOS mobile operating system with last Wednesday's upgrade to version 5.1, and in iTunes 10.6, another update last week.

iTunes relies on WebKit to render its online store.

Because of Google's persistence in rooting out vulnerabilities in WebKit, it was no surprise that many of the bugs Apple patched in Safari on Monday had been addressed by Google in Chrome months earlier.

Several flaws fixed in Safari 5.1.4, for instance, had been patched in September, 2011 when Google upgraded its browser to version 14, and in a subsequent October 2011 update.

Besides the security patches, Apple also addressed a number of other performance, stability and compatibility issues.

Top on the list for users running Safari in Lion was an increase in JavaScript performance: Apple did not specify how much faster the browser should render JavaScript, however. Another Lion-specific fix dealt with incomplete Flash content when using gestures.

Other bug fixes addressed screen dimming while watching HTML5 video, sluggish browser startup and flashing Web pages when switching between Safari windows.

Safari can be downloaded from Apple's website for Snow Leopard or Lion on a Mac, and for Windows XP, Vista and Windows 7 on a PC. Mac OS X users will be notified of the new version automatically, while Windows users already running Safari will be alerted by the Apple Software Update tool.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed. His email address is gkeizer@ix.netcom.com.

Read more about security in Computerworld's Security Topic Center.

This story, "Apple patches record number of Safari 5 bugs with monster update" was originally published by Computerworld.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies