Apple patches Safari's Pwn2Own vulnerability, two-dozen other critical bugs

Cupertino again leaves Snow Leopard users out in the cold by omitting fixes for Safari 5.1.10

Apple on Tuesday patched the security vulnerability in Safari that was successfully exploited at last month's Pwn2Own hacking contest, where a team cracked the browser to win $65,000.

The Cupertino, Calif. company seeded updates for both Safari 6 and Safari 7 yesterday, promoting the former to version 6.1.3 and the latter to 7.0.3.

Safari 6.x runs on OS X 10.7, aka Lion, and OS X 10.8, better known as Mountain Lion. Safari 7.x runs on OS X 10.9, or Mavericks.

Apple patched 27 vulnerabilities in Safari 6 and Safari 7, all in WebKit, the open-source browser engine that powers Safari, and all but one considered critical in that they could allow, the company said, "arbitrary code execution," Apple's terminology for the most serious bugs.

Among the 27 was the one used by "Keen Team," a Shanghai-based group of security researchers who hacked Safari on the second day of this year's Pwn2Own, held March 12-13 at the CanSecWest security conference in Vancouver, British Columbia.

Of the others, more than half were reported by the Google Chrome security team, which still works on WebKit, even though Google's browser has switched to a different fork, dubbed "Blink," for its foundation.

Another was attributed to French vulnerability seller Vupen, which also sent a team to Pwn2Own. Vupen hacked several targets, including Chrome, Adobe Reader and Adobe Flash, and Microsoft's Internet Explorer, taking home $400,000 of the total contest payout of $850,000. The bug patched in WebKit -- and thus in Safari -- was one of several used by Vupen to exploit Chrome.

Tuesday's Safari update was the second since December that omitted patches for Safari 5.1.10, Apple's most-current browser for OS X 10.6 Snow Leopard, the 2009 operating system that Apple has stopped supporting with security fixes.

Apple delivered the final security update for Snow Leopard in September 2013.

Last month, Apple made it even plainer that it had stopped supporting Snow Leopard, patching 33 vulnerabilities in Lion, Mountain Lion and Mavericks, but fixing none of the same flaws in Snow Leopard. Many OS X 10.6 users refused to believe that Apple had stopped fixing the operating system, and in comments appended to a February story in Computerworld argued that the flaws didn't exist in Snow Leopard and because Apple continues to sell Snow Leopard on its e-store it must still be supporting the five-year-old OS.

In fact, many of the vulnerabilities patched last month in other editions do exist in Snow Leopard: Apple fixed numerous bugs in the core components of those versions -- including Apple's own QuickTime and open-source bits like Apache and PHP -- that are part of every Mac operating system, Snow Leopard included.

Apple does sell Snow Leopard from its online store -- the price is $19.99 -- but as a interim step for customers running even older editions who can, and want to, upgrade to something newer, such as Lion or Mountain Lion. Snow Leopard is offered by Apple because it's the oldest edition that provides access to the Mac App Store, the sole distribution outlet for all later OS X upgrades, including Lion, Mountain Lion and Mavericks, which are available only as downloads.

Also part of Tuesday's update for Safari 7 were several non-security improvements and enhancements, including a new preference setting that lets users turn off website notifications and a fix for a glitch where the browser loaded a page or generated search results before the user pressed the return key.

Safari 7.0.3 and 6.1.3 can be obtained by selecting "Software Update..." from the Apple menu, or by opening the Mac App Store application and clicking the Update icon at the top right.

Push notification preference
By unchecking this box in Safari 7.0.3, Mavericks users block all incoming website push notifications, a feature many find irritating and disruptive.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is

See more by Gregg Keizer on

Copyright © 2014 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon