Safari Version 7.0.3 also addresses compatibility, stability and security improvements, including a new option for turning off push notification prompts for websites and a fix for an issue that could block receipt of those notifications from websites. It includes improvements for credit card autofill and stronger sandboxing, adds support for webpages with generic top-level domains, and fixes an issue that could cause the search and address field to load a webpage or send a search term before the return key is pressed.
Apple has also released new versions of Safari 6.1.3 for Mountain Lion and Lion users.
As far as the security vulnerabilities, the patches fix several use-after-free and memory corruption problems, including buffer overflows. The Google Chrome security team and the HP Zero-Day Initiative found many of the bugs; some during hacking competitions.
Worryingly, taken in total, the unpatched WebKit means that maliciously crafted websites could crash the browser or lead to arbitrary code execution. “WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site,” Apple said in its advisory.
The patch also addresses a flaw that would let a hacker break in and access files. “An attacker running arbitrary code in the WebProcess may be able to read arbitrary files despite sandbox restrictions. A logic issue existed in the handling of IPC messages from the WebProcess. This issue was addressed through additional validation of IPC messages,” the Apple alert noted.
As always, Mac users should update their machines as soon as possible.