The first day that Lion was available for Max OS X, it was downloaded over a million times. That is impressive but coming from Apple is that really a surprise? In addition to all the goodies that Lion brings, a host of security updates were also bundled into the update of Safari as Apple starts pushing security patches more frequently.
There were 57 security patches for Safari in the update to version 5.1 and 5.0.6 and most of them have to do with “remote code execution,” which is security slang for “drive-by malicious downloads.” Yes, Apple fans, your computer is just as vulnerable to malware if you visit a malicious site as any PC. This update for Safari will help alleviate some of the problems but as Macs gain more market share, expect a lot more security updates to come from Cupertino.
The Safari updates are not limited to Lion but also Windows computers running Safari. There is a touch of irony for any user infected with malware on Windows while running an OS X product. As for Safari itself, most of the updates patch vulnerabilities related to WebKit, the layout engine Apple’s uses for Safari to render Web pages.
Included in the WebKit updates are a variety of terms that Windows users may be familiar with if they follow the security patches on their computers regularly. Vulnerabilities have been patched for URL spoofing (when the browser goes to a different location than what is in the address bar), malicious RSS feeds, cross-site scripting. Almost all of the WebKit updates start with “visiting a maliciously crafted website may lead to…” Essentially, that refers to drive-by downloads when Safari visits malware infected sites.
Here is an example:
Apple released Mac OS X 10.6.8 in preparation for Lion 10.7 in late June and it also brought a plethora of security updates for both the operating system and Safari. About a month later came the next round of security updates, this time almost double the 28 items found in the 10.6.8 update. At this rate, it won’t be long until Apple is issuing weekly updates to OS X, just like Microsoft does with “patch Tuesday.”