From the “Heckling in the Cheap Seats” files:
Apple is updating its Safari Web browser on both Mac and Windows platform to version 4.0.3. The new browser releases fixes at least six different security issues that could potentially expose users to risk.
The Safari 4.0.3 update follows a Mac OS X 10.5.8 update by a week, which has caused one security analyst to label Apple’s software update process as occurring “…at a haphazard pace.”
“This release makes the contrast between the security processes of Microsoft and Apple even more stark,” Andrew Storms, director of security operations for nCircle, said in an e-mail sent to InternetNews.com. “Microsoft’s release was planned, but Apple’s updates seem to arrive at a haphazard pace.”
I personally disagree with Storms’ comments. As a Linux user myself, I’m used to getting updates when updates are needed and available, and not at some arbitrary monthly level. Certainly, the Safari browser is an integral part of the Mac OS X experience but it is also a standalone application that has millions of Windows users too, who don’t necessarily need to be tied to the Apple OS X updates.
Looking at the Safari 4.0.3 update itself, two of the fixed issues — one for ImageIO and one for CoreGraphics — are both malicious image issues for Windows users. Similar issues were fixed in Mac OS X 10.5.8 itself at an operating system level and not the browser level.
Additionally, Safari 4.0.3 includes three advisories for issues affecting its WebKit rendering engine. WebKit is a technology also used by Google Chrome and as such, I suspect that there is a level of what I will call ‘developer diplomacy’ that Apple needs to navigate in order not to expose other WebKit users to risk prematurely.
Next page: Top Sites vulnerability, and assessing the update strategy
