Update: Apple patches Safari's $10,000 bug, fixes other flaws
Eagle-eyed security types may have known of bug for weeks, says contest winner
Computerworld - Apple Inc. yesterday patched four flaws in its Safari browser, including the critical vulnerability used by a researcher last month to hack a MacBook Air and claim a $10,000 check at the "Pwn 2 Own" contest.
This is the second time in the past four weeks that Apple has patched its browser.
Safari 3.1.1, released on Wednesday in versions for both Mac OS X and Windows users, plugged four holes altogether. All were present in the Windows XP and Vista editions; the Mac version, however, sported just two.
WebKit is the open-source project that provides the core engine for Apple's browser, as well as rendering code for other Mac OS X applications, including Mail and Dashboard.
In exchange for the $10,000 prize awarded by 3Com Corp.'s TippingPoint unit, which runs a bug bounty program called the Zero Day Initiative (ZDI), Miller and his fellow researchers turned over the vulnerability and signed a nondisclosure agreement that prevented them from discussing their findings until the bug was patched.
Apple also patched a cross-site scripting vulnerability, an address-bar spoofing bug and a flaw in Safari's file downloading in the 3.1.1 release. The first was fixed in both the Mac and Windows versions, but the second and third existed only in the Windows edition.
Two of the four vulnerabilities were labeled as possibly leading to "arbitrary code execution," which is Apple's way of saying "critical."
Not surprisingly, Miller praised the Pwn 2 Own concept. "We wouldn't have looked for the bug if not for the contest," he said. "We found it, we reported it, and it's now fixed. It would still be in the WebKit code without the contest."
Safari 3.1.1 can be downloaded from Apple's Web site in versions for Mac OS X 10.4 (Tiger), Mac OS X 10.5 (Leopard), Windows XP and Windows Vista.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts