Apple to patch Safari before Pwn2Own, say researchers
Clues point to impending update that will beef up browser before next week's hacking contest
Computerworld - Apple will patch its Safari browser before the Pwn2Own hacking contest kicks off next week, security researchers hinted today.
If accurate, Apple will join both Google and Mozilla, which earlier this week issued security updates for Chrome and Firefox as preparation for Pwn2Own.
On Wednesday, Apple patched a record 57 vulnerabilities in its iTunes music software; 50 of those bugs were attributed to WebKit, the open-source browser engine that Safari's built on. iTunes relies on WebKit to render its online store component.
"Anti-pwn2own again: Apple fixed a record of 50 vuln[erabilities] in WebKit (iTunes), and is preparing the update for Safari/Mac OS X," said French security firm Vupen in a message on its Twitter account.
Vupen's mention of Pwn2Own refers to the annual hacking contest held at the CanSecWest security conference in Vancouver, British Columbia. This year's Pwn2Own runs March 9-11.
At Pwn2Own, security researchers will compete for $65,000 in prizes by trying to take down the most up-to-date editions of Safari 5, Google's Chrome 9, Microsoft's Internet Explorer 8 and Mozilla's Firefox 3.6.
It's not unusual for Apple to patch WebKit flaws in one application before it rolls out those same fixes for another. In the past, however, it's usually patched WebKit vulnerabilities in Safari before addressing them in iTunes.
Other clues to an upcoming Safari update came from HP TippingPoint -- coincidentally the sponsor of Pwn2Own -- which issued advisories on two WebKit bugs patched in iTunes yesterday. The bugs were originally reported to TippingPoint's Zero Day Initiative (ZDI) bug bounty program; ZDI passed the reports to Apple last October.
Both the advisories said that attackers could exploit the bugs to "execute arbitrary code on vulnerable installations of Apple ... WebKit" and that the vulnerabilities could be triggered using "drive-by" tactics that only require a victim to visit a malicious Web site.
Another hint that Safari will be patched soon came from the iTunes advisory posted by Apple on Wednesday. None of the 50 WebKit bugs listed in the advisory were accompanied by the usual terse Apple description; instead, Apple only noted the CVE (Common Vulnerabilities and Exposures) identifying number and the researcher(s) who first reported the flaw.
More than 30 of the 50 WebKit vulnerabilities were credited to Google researchers and developers. Google's Chrome, like Safari, is built on the WebKit engine.
If Apple patches Safari, it will be the third browser to update this week.
Last year, only Apple and Google updated their browsers just before Pwn2Own. Mozilla acknowledged a critical vulnerability in Firefox less than a week before 2010's contest, but said it wouldn't fix the flaw in time for the challenge. Pwn2Own organizers later ruled that Firefox vulnerability off limit.
Assuming Apple updates Safari, of the four Pwn2Own-targeted browsers, only Internet Explorer (IE) will remain unpatched in the days leading up to the contest. Microsoft last issued fixes for IE flaws on Feb. 8 as part of its monthly Patch Tuesday.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
Read more about Security in Computerworld's Security Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts