Security holes uncovered by Google in Apple’s Safari Browser, as Microsoft readies final patches for XP

Graham Cluley

Next Tuesday, April 8 2014, will see a very special bundle of “Patch Tuesday” updates coming from Microsoft.

What will make the patches memorable will not be so much what vulnerabilities they protect Windows computer users against, but rather that they will include – for the very last time – security patches for the ageing Windows XP platform.

Yes, after April 8th, it won’t matter how serious the vulnerability is, or how many people might be at risk, Microsoft has said it will simply not release any more vulnerability fixes for the retired operating system.

Of course, this hasn’t gone unnoticed by the technology press – who are full of stories about how malicious hackers might attempt to exploit the situation by attacking Windows XP machines with until-now unknown vulnerabilities they have kept in their back pockets.

Indeed, some have even dubbed the days after April 8th – in rather tabloid fashion – the XPocalypse. Yes, really.

There is a very real risk of course, even if your computer is unlikely to turn into a puddle of bubbling goo on the morning of April 9th.

The danger is that if you have a Windows XP computer connected to the internet, hackers will abuse it in an attempt to steal your data, spy on you, send spam, or commandeer your bandwidth in a distributed denial-of-service attack.

And, by the time Microsoft issues its next scheduled bundle of patches on the second Tuesday of *May* 2014 (which will be designed to protect Windows computers *other* than those running XP), malicious hackers might reverse engineer the fixes and determine that the flaws are also present on the now-retired operating system, and target vulnerable users.

Lumension expert Paul Henry has previously blogged about the risks for those users and companies still running Windows XP, and listed some recommendations for those who are interested.

So, get ready to help people who are stuck on XP, whether they be your friendly IT helpdesk guy battling to keep an entire company malware-free without a budget to buy new, more powerful computers, or members of your family baffled as to why their computer will never be as safe again.

But also bear in mind that vulnerabilities don’t just hit Microsoft’s operating systems.

Just this week, Apple has released a very important update for its Safari browser, incorporating a series of security fixes that patch over 25 vulnerabilities.

As described in Apple’s support knowledgebase article, the vulnerabilities relate to WebKit, the web-rendering engine that sits at the heart of the Apple Safari browser, and the basis for the Blink engine fork used by rival browser Google Chrome.

Lum safari apple

As Apple describes it, Mac users could find themselves unwittingly and unknowingly running malicious code (such as Trojan horse) on their computers just by visiting a boobytrapped website.

Funnily enough, most of the security vulnerabilities were discovered by the Google Chrome Security Team.

Less amusingly, it appears that it has taken Apple an awful long time to fix some of these security holes – which were reported by Google and others to the Cupertino company as far back as 2013.

It’s good that these vulnerabilities were disclosed responsibly to Apple, so that they could fix their software without the risk full disclosure brings of customers being put at risk by hackers exploiting the flaw. However, questions must be asked as to whether the flaws have been patched quickly enough.

You can’t help but feel that Apple has been guilty of a tardy response when it comes to properly securing Mac OS X users once again. It seems to me that there is definitely room for improvement.

Apple recommends that Mac OS X users update to Safari 7.03 or Safari 6.1.3 as soon as possible to patch the security flaws.

This article originally appeared on the Lumension blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.