Apple issued an update for Safari yesterday to cover numerous security fixes.
Affecting versions 5.0.6 and 5.1, the patch covers 57 vulnerabilities of which: 46 could lead to remote code execution; four to information disclosure; three to the spoofing of addresses or content; three to cross-site scripting; and one to the mismanagement of SSL certificates.
According to Paul Ducklin, Sophos' head of technology for Asia Pacific, the update also offers improvements and a few new features, including one called the Reading List that lets you add web pages and links into a reading list to look at later. The non-security-related features in the update are in Apple article HT4611.
Andrew Storms, director of security operations at nCircle, said: “The sheer number of vulnerabilities being patched in Safari is mind boggling. Microsoft and Oracle definitely release big patches, but the fixes they ship generally apply to many different applications and operating systems. This is a vast number of bugs for just Safari alone. There are so many code execution bugs alone I've gone cross-eyed.
“It's no surprise that Apple is updating Safari the same day that Lion is released. It's a little odd that they didn't also update QuickTime, since a new Apple OS usually ships with a bunch of security fixes for Apple applications.”
Apple released OS X Lion earlier this week, with an emphasis on application visibility and usability. New improvements include AirDrop that allows files to be sent wirelessly and an AutoSave option. Installing Lion negates the separate download for Safari, as the update is included in Lion.
Edy Almer, vice president of product management at Safend, said: “The introduction of the Mac OS X Lion has brought with it a number of new features. As with any significant software changes or upgrades, users should be cautious when updating systems, as the methods used to encrypt sensitive data may not fully transfer during the update and could leave users at risk of having unencrypted data or leaving files damaged.
“If users have encrypted any files, they could consider decrypting before running the upgrade process and then re-encrypting the files to ensure data remains fully secure.”
Jeff Erwin, president and CEO of Intego, said: “We're very happy to see Lion released, and Mac users will be too. We have updated our software to make sure that our users will be able to continue to protect their Macs and remain safe from the dangers of the internet. As always, our software is compatible with the latest version of Mac OS X on the day of its release.
Also according to mactrast.com, Google is believed to be working on Lion-optimised version of its Chrome browser after user reports claimed that Chrome did not work well on the new OS X. Mactrast claimed that the update will likely bring increased support for Lion's gestures and enable new Lion features including physical 'swiping' between pages. It also claimed that a Lion update will mimic the new tendency to auto-hide scroll bars when you aren't actively using them and add an enhanced Full-Screen App mode based on Lion's new API for that.