Update: Apple patches Safari's $10,000 bug, fixes other flaws

Comments

Related

Active Comments

Anonymous says: Ok, we finally find out it was java-script. then any web page could have had a similar malware drive-by. looks...

Read the rest | Reply

Anonymous says: I have not had much fun using Safari. There were some sites I could not get to. I still like...

Read the rest | Reply

All Comments (5) | Post New

• Apple adds DMCA charge to lawsuit against Psystar
• Apple updates Safari for second time in two weeks
• Apple's Snow Leopard OS: Ahead of schedule?
• Apple wins antitrust fight with Psystar, judge tosses claims
• Apple plays catch-up, ads anti-fraud safeguard to Safari

Zone

The Security Zone With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones

April 17, 2008 (Computerworld) Apple Inc. yesterday patched four flaws in its Safari browser, including the critical vulnerability used by a researcher last month to hack a MacBook Air and claim a $10,000 check at the "Pwn 2 Own" contest.

This is the second time in the past four weeks that Apple has patched its browser.

Safari 3.1.1, released on Wednesday in versions for both Mac OS X and Windows users, plugged four holes altogether. All were present in the Windows XP and Vista editions; the Mac version, however, sported just two.

One of those, however, was used by Charlie Miller three weeks ago to break into a MacBook Air laptop on the second day of the hacker challenge held at the CanSecWest security conference. The bug that Miller used was in WebKit's handling of JavaScript regular expressions.

WebKit is the open-source project that provides the core engine for Apple's browser, as well as rendering code for other Mac OS X applications, including Mail and Dashboard.

On Thursday, Miller said that he and two colleagues at Independent Security Evaluators LLC (ISE), a Baltimore-based security consulting company, dug up the JavaScript vulnerability in WebKit two or three weeks before the contest. "They fixed the bug in the [WebKit] source code the next day," said Miller today. "I couldn't say anything about that until now, but if you'd been paying attention, you would have known about the Safari bug for the last three weeks."

In exchange for the $10,000 prize awarded by 3Com Corp.'s TippingPoint unit, which runs a bug bounty program called the Zero Day Initiative (ZDI), Miller and his fellow researchers turned over the vulnerability and signed a nondisclosure agreement that prevented them from discussing their findings until the bug was patched.

Apple also patched a cross-site scripting vulnerability, an address-bar spoofing bug and a flaw in Safari's file downloading in the 3.1.1 release. The first was fixed in both the Mac and Windows versions, but the second and third existed only in the Windows edition.

Two of the four vulnerabilities were labeled as possibly leading to "arbitrary code execution," which is Apple's way of saying "critical."

Although the winning Pwn 2 Own vulnerability is sure to get the most attention, Miller thought he'd been foiled before the contest even kicked off. "A few days after we found the [JavaScript regular expression] bug, we thought WebKit had found it. 'Oh, no,' I thought. But it wasn't the same [vulnerability]."

Not surprisingly, Miller praised the Pwn 2 Own concept. "We wouldn't have looked for the bug if not for the contest," he said. "We found it, we reported it, and it's now fixed. It would still be in the WebKit code without the contest."

Safari 3.1.1 can be downloaded from Apple's Web site in versions for Mac OS X 10.4 (Tiger), Mac OS X 10.5 (Leopard), Windows XP and Windows Vista.