Barely 24 hours before a researcher was set to dive deeper into a Safari bug at the Black Hat security conference, Apple today fixed that flaw and 14 others. Apple also switched on extensions in Safari 5.0.1, and launched a gallery of more than 100 add-ons users can download.
Although not the most serious of the 15 vulnerabilities patched today, a flaw in how Safari auto-fills forms with the user's name and personal information was the most prominent of today's bunch, if only because a researcher took the bug public last week.
Jeremiah Grossman, CTO of WhiteHat Security, announced on July 21 that hackers could easily mine names, mailing addresses, email addresses and workplaces of Safari owners because the browser turns on its AutoFill feature by default, and links it to the user's entry in the address book on their Mac or PC.
He had reported the problem to Apple more than a month before, but decided to disclose the vulnerability after he received only automated replies to his emailed queries.
Grossman will demonstrate how browsers, Safari as well as Internet Explorer, Firefox and Chrome, can be forced to pony up users' personal information in a 10 a.m. PT talk on Thursday at Black Hat, the security conference that kicked off Wednesday in Las Vegas. His method of making Safari surrender user information may now be moot.
Of the 15 vulnerabilities Apple quashed today, 13 were accompanied by its usual "arbitrary code execution" phrase, the company's way of saying that the flaws should be considered critical because they can be used to compromise a computer, then plant malware on the machine. All 15 bugs affect both the Mac and Windows versions of Safari.
"Nearly every bug aside from [Grossman's] is basically a drive-by," said Andrew Storms, director of security operations at nCircle Security, in an instant message. "Essentially, it's what we fear in browser bugs. It's the kind of attack where the ordinary user clicks on something and boom, it's game over for you."
Thirteen of the 15 vulnerabilities fixed today could, in fact, be exploited by classic drive-by attacks, the kind that execute when a person simply surfs to a malicious site or an already-hacked legitimate domain. The 13 drive-by bugs were all found in WebKit, the open-source browser engine that both Apple and Chrome use as the bedrock of their browsers.
Because Google's Chrome also relies on WebKit, it's never a surprise when bugs fixed in Safari are reported by security engineers who work for the search giant. Apple credited three of the 15, or 20% of the total, to Google researchers, the same number apparently found by Apple's own personnel.
Safari 5.0.1 can be downloaded from Apple's site for Mac OS X 10.5 (Leopard), Mac OS X 10.6, Windows XP, Windows Vista and Windows 7. Mac OS X users will be notified of the new version automatically by the operating system's software update feature, while Windows users already running Safari will be alerted by the Apple Software Update tool.
Apple today also released Safari 4.1.1 for Mac OS X 10.4 (Tiger).
Along with the security updates, Apple enabled Safari extensions by default (the edition launched last month required users to turn on the feature manually) and debuted a collection of more than 100 add-ons Safari users can download and install. The new Extensions Gallery includes add-ons from the likes of the New York Times, Amazon, Microsoft and Major League Baseball.