The Mac Security Blog

Security News

Apple Releases Safari 8.07, Safari 7.1.7, and Safari 6.2.7

Posted on by

Image of Safari Web browser logo

Apple has updated its Safari browser with multiple security fixes, releasing Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7 for Yosemite, Mavericks, and Mountain Lion. These updates mitigate four vulnerabilities (CVEs), including privacy flaws, an issue with PDF-embedded links leading to information leakage, and another bug related to arbitrary code execution.

“This update also improves performance by reducing Safari memory usage, and fixes an issue that allowed a website to use JavaScript alerts to prevent users from navigating away,” describes Apple’s update notice.

These updates apply to Safari users on OS X Mountain Lion 10.8.5, OS X Mavericks 10.9.5, and OS X Yosemite 10.10.3.

Apple’s Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7 security updates address the following vulnerabilities:

  • CVE-2015-3727 : A maliciously crafted website can access the WebSQL databases of other websites. An issue existed in the authorization checks for renaming WebSQL tables. This could have allowed a maliciously crafted website to access databases belonging to other websites. The issue was addressed with improved authorization checks.
  • CVE-2015-3658 : Visiting a maliciously crafted website may lead to account account takeover. An issue existed where Safari would preserve the Origin request header for cross-origin redirects, allowing malicious websites to circumvent CSRF protections. This issue was addressed through improved handling of redirects.
  • CVE-2015-3660 : Clicking a maliciously crafted link in a PDF embedded in a webpage may lead to cookie theft or user information leakage. An issue existed with PDF-embedded links which could execute JavaScript in a hosting webpage’s context. This issue was addressed by restricting the support for JavaScript links.
  • CVE-2015-3659 : Visiting a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution. An insufficient comparison issue existed in SQLite authorizer which allowed invocation of arbitrary SQL functions. This issue was addressed with improved authorization checks.

Mac users can install the updated Safari web browser by choosing Apple menu > Software Update (if prompted, enter an admin password), or the updates may be obtained from the Mac App Store.