Safari Changelog

New in version 7.1 / 6.2

September 18th, 2014
  • Address the following:
  • Safari:
  • Impact: An attacker with a privileged network position may intercept user credentials
  • Description: Saved passwords were autofilled on http sites, on https sites with broken trust, and in iframes. This issue was addressed by restricting password autofill to the main frame of https sites with valid certificate chains.
  • CVE-ID: CVE-2014-4363 : David Silver, Suman Jana, and Dan Boneh of Stanford University working with Eric Chen and Collin Jackson of Carnegie Mellon University
  • WebKit:
  • Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • CVE-ID: CVE-2013-6663 : Atte Kettunen of OUSPG, CVE-2014-4410 : Eric Seidel of Google, CVE-2014-4411 : Google Chrome Security Team, CVE-2014-4412 : Apple, CVE-2014-4413 : Apple, CVE-2014-4414 : Apple, CVE-2014-4415 : Apple
  • WebKit:
  • Impact: A malicious website may be able to track users even when private browsing is enabled
  • Description: A web application could store HTML 5 application cache data during normal browsing and then read the data during private browsing. This was addressed by disabling access to the application cache when in private browsing mode.
  • CVE-ID: CVE-2014-4409 : Yosuke Hasegawa (NetAgent Co., Led.)

New in version 7.0.6 / 6.1.6 (August 14th, 2014)

  • Addresses the following:
  • WebKit:
  • Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • Description: Multiple memory corruption issues existed in WebKit.
  • These issues were addressed through improved memory handling.
  • CVE-ID: CVE-2014-1384, CVE-2014-1385, CVE-2014-1388, CVE-2014-1389, CVE-2014-1390 (Apple), CVE-2014-1386 (an anonymous researcher), CVE-2014-1387 (Google Chrome Security Team)

New in version 7.0.5 / 6.1.5 (July 1st, 2014)

  • WebKit:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3
  • Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • CVE-ID
  • CVE-2014-1325 : Apple
  • CVE-2014-1340 : Apple
  • CVE-2014-1362 : Apple, miaubiz
  • CVE-2014-1363 : Apple
  • CVE-2014-1364 : Apple
  • CVE-2014-1365 : Apple, Google Chrome Security Team
  • CVE-2014-1366 : Apple
  • CVE-2014-1367 : Apple
  • CVE-2014-1368 : Wushi of Keen Team (Research Team of Keen Cloud Tech)
  • CVE-2014-1382 : Renata Hodovan of University of Szeged / Samsung Electronics
  • WebKit:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3
  • Impact: Dragging a URL from a maliciously crafted website to another window could lead to the disclosure of local file content
  • Description: Dragging a URL from a maliciously crafted website to another window could have allowed the malicious site to access a file:// URL. This issue was addressed through improved validation of dragged resources.
  • CVE-ID
  • CVE-2014-1369 : Aaron Sigel of vtty.com
  • WebKit:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3
  • Impact: A maliciously crafted website may be able to spoof its domain name in the address bar
  • Description: A spoofing issue existed in the handling of URLs. This issue was addressed through improved encoding of URLs.
  • CVE-ID
  • CVE-2014-1345 : Erling Ellingsen of Facebook

New in version 7.0.4 / 6.1.4 (May 22nd, 2014)

  • Addresses the following security issues:
  • WEBKIT:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3
  • Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • CVE-ID:
  • CVE-2013-2875 : miaubiz
  • CVE-2013-2927 : cloudfuzzer
  • CVE-2014-1323 : banty
  • CVE-2014-1324 : Google Chrome Security Team
  • CVE-2014-1326 : Apple
  • CVE-2014-1327 : Google Chrome Security Team, Apple
  • CVE-2014-1329 : Google Chrome Security Team
  • CVE-2014-1330 : Google Chrome Security Team
  • CVE-2014-1331 : cloudfuzzer
  • CVE-2014-1333 : Google Chrome Security Team
  • CVE-2014-1334 : Apple
  • CVE-2014-1335 : Google Chrome Security Team
  • CVE-2014-1336 : Apple
  • CVE-2014-1337 : Apple
  • CVE-2014-1338 : Google Chrome Security Team
  • CVE-2014-1339 : Atte Kettunen of OUSPG
  • CVE-2014-1341 : Google Chrome Security Team
  • CVE-2014-1342 : Apple
  • CVE-2014-1343 : Google Chrome Security Team
  • CVE-2014-1344 : Ian Beer of Google Project Zero
  • CVE-2014-1731 : an anonymous member of the Blink development
  • community
  • WEBKIT:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3
  • Impact: A malicious site can send messages to a connected frame or window in a way that might circumvent the receiver's origin check
  • Description: An encoding issue existed in the handling of unicode characters in URLs. A maliciously crafted URL could have led to sending an incorrect postMessage origin. This issue was addressed through improved encoding/decoding.
  • CVE-ID:
  • CVE-2014-1346 : Erling Ellingsen of Facebook

New in version 7.0.3 / 6.1.3 (April 2nd, 2014)

  • Fixes an issue that could cause the search and address field to load a webpage or send a search term before the return key is pressed
  • Improves credit card auto-fill with websites
  • Fixes an issue that could block receipt of push notifications from websites
  • Adds a preference to turn off push notification prompts from websites
  • Adds support for webpages with generic top-level domains
  • Strengthens Safari sandboxing
  • Fixes security issues, including several identified in recent security competitions:
  • WebKit:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
  • Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • CVE-ID:
  • CVE-2013-2871 : miaubiz
  • CVE-2013-2926 : cloudfuzzer
  • CVE-2013-2928 : Google Chrome Security Team
  • CVE-2013-6625 : cloudfuzzer
  • CVE-2014-1289 : Apple
  • CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
  • Initiative, Google Chrome Security Team
  • CVE-2014-1291 : Google Chrome Security Team
  • CVE-2014-1292 : Google Chrome Security Team
  • CVE-2014-1293 : Google Chrome Security Team
  • CVE-2014-1294 : Google Chrome Security Team
  • CVE-2014-1298 : Google Chrome Security Team
  • CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of
  • University of Szeged / Samsung Electronics
  • CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's
  • Zero Day Initiative
  • CVE-2014-1301 : Google Chrome Security Team
  • CVE-2014-1302 : Google Chrome Security Team, Apple
  • CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative
  • CVE-2014-1304 : Apple
  • CVE-2014-1305 : Apple
  • CVE-2014-1307 : Google Chrome Security Team
  • CVE-2014-1308 : Google Chrome Security Team
  • CVE-2014-1309 : cloudfuzzer
  • CVE-2014-1310 : Google Chrome Security Team
  • CVE-2014-1311 : Google Chrome Security Team
  • CVE-2014-1312 : Google Chrome Security Team
  • CVE-2014-1313 : Google Chrome Security Team
  • CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative
  • WEBKIT:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
  • Impact: An attacker running arbitary code in the WebProcess may be able to read arbitrary files despite sandbox restrictions
  • Description: A logic issue existed in the handling of IPC messages from the WebProcess. This issue was addressed through additional validation of IPC messages.
  • CVE-ID:
  • CVE-2014-1297 : Ian Beer of Google Project Zero

New in version 7.0.2 / 6.1.2 (February 26th, 2014)

  • Addresses the following security issues:
  • WebKit:
  • Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • CVE-ID: Apple (CVE-2014-1268, CVE-2014-1269, CVE-2014-1270), cloudfuzzer (CVE-2013-6635)
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.1
  • For OS X Mavericks systems, Safari 7.0.2 will be included in OS X Mavericks 10.9.2.
  • For OS X Mountain Lion systems Safari 6.1.2 may be obtained from Mac App Store.
  • For OS X Lion systems Safari 6.1.2 is available via the Apple Software Update application.

New in version 7.0.1 / 6.1.1 (December 17th, 2013)

  • SECURITY FIXES:
  • SAFARI:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9
  • Impact: User credentials may be disclosed to an unexpected site via autofill
  • Description: Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking.
  • CVE-ID: CVE-2013-5227 - Niklas Malmgren of Klarna AB
  • WEBKIT:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9
  • Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • CVE-ID: Atte Kettunen of OUSPG (CVE-2013-2909), Apple (CVE-2013-5195, CVE-2013-5198, CVE-2013-5199), Google Chrome Security Team (CVE-2013-5196, CVE-2013-5197, CVE-2013-5225), Keen Team (@K33nTeam) working with HP's Zero Day Initiative (CVE-2013-5228).

New in version 7.0 / 6.1 (October 23rd, 2013)

  • NEW FEATURES:
  • Shared Links: See links shared by people you follow on Twitter.
  • Sidebar: See your Bookmarks, Reading List, and Shared Links in one convenient place.
  • One-click bookmarking: Just click the (+) button to the left of the Smart Search Field to add a webpage to your Reading List. Click and hold to add it to the Favorites Bar or to your Bookmarks.
  • Safari Power Saver: Increase energy efficiency by playing only the plug-in content you want to see.
  • Third-party data blocking: By default, Safari blocks third-party websites from leaving cookies and other types of data that could be used to track your browsing.
  • Built-in Yandex Search: Leading Russian search engine Yandex is now an option for Russian users.
  • SECURITY FIXES:
  • SAFARI:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5
  • Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • Description: A memory corruption issue existed in the handling of XML files. This issue was addressed through additional bounds checking.
  • CVE-ID: CVE-2013-1036: Kai Lu of Fortinet's FortiGuard Labs
  • WEBKIT:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.3
  • Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • CVE-ID: Google Chrome Security Team (CVE-2013-1037, CVE-2013-1038, CVE-2013-1040, CVE-2013-1041, CVE-2013-1042, CVE-2013-1043, CVE-2013-1045, CVE-2013-1046, CVE-2013-5125, CVE-2013-5127), miaubiz (CVE-2013-1047), Cyril Cattiaux (CVE-2013-2842), Apple (CVE-2013-5128, CVE-2013-1044, CVE-2013-5126), own-hero Research working with iDefense VCP (CVE-2013-1039)
  • WEBKIT:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5
  • Impact: Visiting a maliciously crafted website may lead to an information disclosure
  • Description: An information disclosure issue existed in XSSAuditor. This issue was addressed through improved handling of URLs.
  • CVE-ID: CVE-2013-2848: Egor Homakov
  • WEBKIT:
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5
  • Impact: Dragging or pasting a selection may lead to a cross-site scripting attack
  • Description: Dragging or pasting a selection from one site to another may allow scripts contained in the selection to be executed in the context of the new site. This issue is addressed through additional validation of content before a paste or a drag and drop operation.
  • CVE-ID: CVE-2013-5129: Mario Heiderich
  • WEBKIT
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5
  • Impact: Using the Web Inspector disabled Private Browsing
  • Description: Using the Web Inspector disabled Private Browsing without warning. This issue was addressed by improved state management.
  • CVE-ID: CVE-2013-5130: Laszlo Varady of Eotvos Lorand University
  • WEBKIT
  • Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5
  • Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
  • Description: A cross-site scripting issue existed in the handling of URLs. This issue was addressed through improved origin tracking.
  • CVE-ID: CVE-2013-5131: Erling A Ellingsen

New in version 6.0.5 (June 5th, 2013)

  • Safari 6.0.5 is now available and addresses the following:
  • Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • A cross-site scripting issue existed in the handling of iframes. This issue was addressed through improved origin tracking.
  • A cross-site scripting issue existed in the handling of copied and pasted data in HTML documents. This issue was addressed through additional validation of pasted content.
  • XSS Auditor may rewrite URLs to prevent cross-site scripting attacks. This may lead to a malicious alteration of the behavior of a form submission. This issue was addressed through improved validation of URLs.