Apple updated its web browser to Safari 5.0.4, plugging 62 vulnerabilities, a number described as “eye-watering” by Graham Cluley, a researcher at Sophos Labs. Nearly all of the flaws can be exploited by a “maliciously crafted website.”
While Apple does not categorize its product vulnerabilities, these are “critical” flaws, Cluley wrote in a blog. “If that’s not a reason to install a security update to your Safari browser, I’m not sure what is”, he opined.
In addition, Apple updated its mobile operating system to iOS 4.3, plugging another 60 security flaws, many centered on the web page rendering framework WebKit. Many of these flaws can be exploited by a “maliciously crafted” website or TIFF image.
These are…the kind of vulnerabilities that have been exploited by malicious hackers and virus writers in the past and would present a way to deliver code to a non-jailbroken iPhone that did not involve entering via the official iPhone App Store”, Cluley noted.
The Safari updates were not done in time for the Pwn2Own hacking contest that took place at the CanSecWest conference in Vancouver this week. Perhaps Apple’s late delivery of security updates contributed to the hacking of Safari in five seconds by a French team from Vupen to win the contest, according to a report by ZDNet.