Apple has issued updates to handle faults in its Safari 6 browser and iOS 6 mobile OS. The fixes were made available last week and address two vulnerabilities in Safari 6.0.2.
The bugs, which reside in the open source WebKit web browser engine, could admit “unexpected application termination or arbitrary code execution” if users visited a malicious website, according to Apple’s summary of the faults.
The browser update impacts the OS X Lion and OS X Mountain Lion OSs.
Updates for iOS 6.0.1 impacting iPhone 3GS, iPad 2 and the fourth-generation iPod Touch also covered the same vulnerabilities, but for mobile users.
Additional patches in iOS dealt with a information disclosure bug, which could allow for “maliciously crafted or compromised iOS applications” to determine strings in the kernel, and a passcode-lock security issue, which could possibly permit attackers to bypass password requirements for Passbook – an iOS app that can store users’ airline boarding passes, coupons, movie tickets, retailer reward cards and other mobile payment data.
Qualys CTO Wolfgang Kandek said the WebKit bugs represented the most widespread threat to users.
“When you use Safari or Google Chrome, for instance, you are using WebKit as its underpinning,” Kandek said. “The attacks would be through a website that has something malicious on there that knows about the vulnerability, and it could run something on your machine that wants to take control of it. You probably wouldn’t even notice [malware] that had been installed on your machine, which could feed information to an attacker.”
