Update: Apple patches Safari's $10,000 bug, fixes other flaws
Eagle-eyed security types may have known of bug for weeks, says contest winner
Computerworld - Apple Inc. yesterday patched four flaws in its Safari browser, including the critical vulnerability used by a researcher last month to hack a MacBook Air and claim a $10,000 check at the "Pwn 2 Own" contest.
This is the second time in the past four weeks that Apple has patched its browser.
Safari 3.1.1, released on Wednesday in versions for both Mac OS X and Windows users, plugged four holes altogether. All were present in the Windows XP and Vista editions; the Mac version, however, sported just two.
WebKit is the open-source project that provides the core engine for Apple's browser, as well as rendering code for other Mac OS X applications, including Mail and Dashboard.
In exchange for the $10,000 prize awarded by 3Com Corp.'s TippingPoint unit, which runs a bug bounty program called the Zero Day Initiative (ZDI), Miller and his fellow researchers turned over the vulnerability and signed a nondisclosure agreement that prevented them from discussing their findings until the bug was patched.
Apple also patched a cross-site scripting vulnerability, an address-bar spoofing bug and a flaw in Safari's file downloading in the 3.1.1 release. The first was fixed in both the Mac and Windows versions, but the second and third existed only in the Windows edition.
Two of the four vulnerabilities were labeled as possibly leading to "arbitrary code execution," which is Apple's way of saying "critical."
Not surprisingly, Miller praised the Pwn 2 Own concept. "We wouldn't have looked for the bug if not for the contest," he said. "We found it, we reported it, and it's now fixed. It would still be in the WebKit code without the contest."
Safari 3.1.1 can be downloaded from Apple's Web site in versions for Mac OS X 10.4 (Tiger), Mac OS X 10.5 (Leopard), Windows XP and Windows Vista.
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!