Safari Update 8.06, Safari 7.1.6, and Safari 6.2.6 for OS X Yosenite, Maverics, & Mountain Lion

Apple Inc. ^ | May 6, 2015

[Swordmaker]

About the security content of Safari 8.0.6, Safari 7.1.6, and Safari 6.2.6

This document describes the security content of Safari 8.0.6, Safari 7.1.6, and Safari 6.2.6.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see Apple Security Updates.

Safari 8.0.6, Safari 7.1.6, and Safari 6.2.6

• WebKit

  Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.3

  Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

  Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.

  CVE-ID

  CVE-2015-1152 : Apple

  CVE-2015-1153 : Apple

  CVE-2015-1154 : Apple

• WebKit History

  Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.3

  Impact: Visiting a maliciously crafted website may compromise user information on the filesystem

  Description: A state management issue existed in Safari that allowed unprivileged origins to access contents on the filesystem. This issue was addressed through improved state management.

  CVE-ID

  CVE-2015-1155 : Joe Vennix of Rapid7 Inc. working with HP's Zero Day Initiative

• WebKit Page Loading

  Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.3

  Impact: Visiting a malicious website by clicking a link may lead to user interface spoofing

  Description: An issue existed in the handling of the rel attribute in anchor elements. Target objects could get unauthorized access to link objects. This issue was addressed through improved link type adherence.

  CVE-ID

  CVE-2015-1156 : Zachary Durber of Moodle

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information.

[Swordmaker]

It's time to hit the Apple Software update in the Mac App Store. Security updates. . . Some of you may have this set to do automatically, if not, better do this.

[Swordmaker]

Updates for Safari Browser for OS X Yosemite, OS X Mavericks and OS X Mountain Lion were released today. So for all Apple Mac users of those operating systems it's time to hit the Apple Software update in the Mac App Store. Security updates. . . Some of you may have this set to do automatically, if not, better do this for security reasons. — PING!

Prevent your Mac
from being broken into, UPDATE NOW!
Ping!

If you want on or off the Mac Ping List, Freepmail me.

I challenge the members of the Apple ping list to each donate at least $10 each to the latest Freepathon. I HAVE donated $100. Many members of the Apple Ping list are already rising to the challenge. Join them. Let's show the power of the Apple Ping list in supporting Freerepublic!

If you have ordered an Apple Watch,
MAKE A DONATION TO THE FREEPATHON!

[Biggirl]

Thanks for the info. Just got it in Apps last night.

[dayglored]

Morning Swordmaker!

Thanks for the heads up, I'll do the updates on my machines tonight.

I REALLY like the fact that Apple is using PGP keys for validation. PGP is still the strongest, as-yet-unbroken, easy-to-use encryption available to us non-NSA peons. Three cheers for one of my personal heroes, Phil Zimmerman.

Actually I mostly use the Gnu FOSS equivalent (GPG) but it's functionally identical. Converted all my old 2048-bit PGP keys over to 4096-bit a month ago.

There's ever-increasing reason to encrypt important private data, and no reason in the world to use something the authorities have cracked (unless it's a communication encryption standard like SSL where you don't have a choice).

I wish Microsoft would act more like a leader in personal encryption and less like a government lapdog. Oh well.