About the security content of Safari 6.2 and Safari 7.1

This document describes the security content of Safari 6.2 and Safari 7.1.

This update can be downloaded and installed using Software Update or from the Apple Support website.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see Apple Security Updates.

Safari 6.2 and Safari 7.1

  • Safari

    Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

    Impact: An attacker with a privileged network position may intercept user credentials

    Description: Saved passwords were autofilled on http sites, on https sites with broken trust, and in iframes. This issue was addressed by restricting password autofill to the main frame of https sites with valid certificate chains.

    CVE-ID

    CVE-2014-4363 : David Silver, Suman Jana, and Dan Boneh of Stanford University working with Eric Chen and Collin Jackson of Carnegie Mellon University

  • WebKit

    Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2013-6663 : Atte Kettunen of OUSPG

    CVE-2014-4410 : Eric Seidel of Google

    CVE-2014-4411 : Google Chrome Security Team

    CVE-2014-4412 : Apple

    CVE-2014-4413 : Apple

    CVE-2014-4414 : Apple

    CVE-2014-4415 : Apple

  • WebKit

    Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

    Impact: A malicious website may be able to track users even when private browsing is enabled

    Description: A web application could store HTML 5 application cache data during normal browsing and then read the data during private browsing. This was addressed by disabling access to the application cache when in private browsing mode.

    CVE-ID

    CVE-2014-4409 : Yosuke Hasegawa (NetAgent Co., Led.)

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Last Modified: