Update: Apple patches Safari's $10,000 bug, fixes other flaws
Eagle-eyed security types may have known of bug for weeks, says contest winner
Computerworld - Apple Inc. yesterday patched four flaws in its Safari browser, including the critical vulnerability used by a researcher last month to hack a MacBook Air and claim a $10,000 check at the "Pwn 2 Own" contest.
This is the second time in the past four weeks that Apple has patched its browser.
Safari 3.1.1, released on Wednesday in versions for both Mac OS X and Windows users, plugged four holes altogether. All were present in the Windows XP and Vista editions; the Mac version, however, sported just two.
WebKit is the open-source project that provides the core engine for Apple's browser, as well as rendering code for other Mac OS X applications, including Mail and Dashboard.
In exchange for the $10,000 prize awarded by 3Com Corp.'s TippingPoint unit, which runs a bug bounty program called the Zero Day Initiative (ZDI), Miller and his fellow researchers turned over the vulnerability and signed a nondisclosure agreement that prevented them from discussing their findings until the bug was patched.
Apple also patched a cross-site scripting vulnerability, an address-bar spoofing bug and a flaw in Safari's file downloading in the 3.1.1 release. The first was fixed in both the Mac and Windows versions, but the second and third existed only in the Windows edition.
Two of the four vulnerabilities were labeled as possibly leading to "arbitrary code execution," which is Apple's way of saying "critical."
Not surprisingly, Miller praised the Pwn 2 Own concept. "We wouldn't have looked for the bug if not for the contest," he said. "We found it, we reported it, and it's now fixed. It would still be in the WebKit code without the contest."
Safari 3.1.1 can be downloaded from Apple's Web site in versions for Mac OS X 10.4 (Tiger), Mac OS X 10.5 (Leopard), Windows XP and Windows Vista.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts