On Friday, Danish vulnerability tracking firm Secunia published information related to two vulnerabilities within the Safari web browser following Apple’s reluctance to provide an estimate timeframe on when they plan to issue a patch.
Secunia disclosed the “moderately critical” plug-in unloading vulnerability, which could lead to an attacker gaining remote control of the system, to Apple six months ago. The less critical address bar spoofing vulnerability was reported to Apple over eight and half months ago.
In both cases, Apple failed provided a targeted patch release date despite Secunia’s multiple attempts to get a status update that included one. Three and a half months after the bugs were reported, Apple stated that the vulnerabilities had been confirmed and are being investigated. No further details were provided and ultimately Apple stated it was against their policy to comment on fix dates.
Vendors are given a 6-month semi-hard deadline to fix vulnerabilities that are reported via Secunia Vulnerability Coordination Reward Program (SVCRP), which offers a way for researchers to have their bug findings confirmed and reported to vendors.
The vulnerabilities have been confirmed in versions 5.0.5 (7533.21.1) and 5.1.2 (7534.52.7), but other versions may be affected.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.