Update: Apple patches Pwn2Own bug, 55 others in Mac OS

Fixes Snow Leopard version of flaw that researchers used to hack iPhone at contest, win $15K

Editor's note: This story has been changed since it was originally posted to correct a statement that researchers Charlie Miller and Dion Blazakis sold an unused Mac OS X vulnerability to HP TippingPoint's bug bounty program at the conclusion of the Pwn2Own hacking contest.

Apple on Monday patched 56 vulnerabilities, most of them critical flaws that could be used to hijack machines, as part of 2011's first broad update of Mac OS X.

Among the fixes was one for a vulnerability also found in iOS that four-time Pwn2Own winner Charlie Miller and his research partner Dion Blazakis used to hack an iPhone at the contest earlier this month.

Of the 56 bugs patched in the update for Snow Leopard, 45 were accompanied by the phrase "arbitrary code execution," Apple-speak for rating the flaws as "critical." Unlike many other major software makers, like Microsoft and Oracle, Apple doesn't assign severity rankings to vulnerabilities.

According to Apple's advisory, more than a dozen of the bugs can be exploited by "drive-by" attacks that execute as soon as a victim browses to a malicious Web site with an unpatched edition of Mac OS X.

Several in that class resided in Apple Type Services (ATS), the operating system's font renderer, and could be exploited using malicious documents embedded with specially crafted fonts. Of those four vulnerabilities, two were reported by researchers from Apple's rival Google.

Other drive-by attacks could be launched using malformed files exploiting six vulnerabilities in Mac OS X's ImageIO component, another five in QuickTime and two in QuickLook, the operating system's document preview tool.

One of the latter was uncovered by Miller and Blazakis, researchers with the Baltimore-based consulting firm Independent Security Evaluators (ISE). Miller, who has won cash prizes at the Pwn2Own hacking challenge four years running, and Blazakis used a bug in a component of iOS similar to QuickLook on Apple's iPhone at the contest.

Apple has now patched that bug in Mac OS X, but it remains unfixed in iOS. According to reports, Apple will release an update for iOS 4.2 shortly.

Miller also said that yesterday's update fixed other bugs he had found but never disclosed or reported to Apple.

"[Mac OS X] 10.6.7 fixes a ton of bugs. It slaughters at least 4 I was sitting on including my OS X entry to pwn2own I didn't get to use," said Miller in a Monday tweet .

Miller had a different vulnerability in his pocket that he would have used to hack Safari at Pwn2Own had he drawn a higher spot in that part of the contest. But a team from the French security company Vupen, which had the first crack, broke Safari and hijacked a MacBook Air to win the $15,000 prize with a different bug.

The second day of Pwn2Own, Miller and Blazakis exploited the QuickLook bug in iOS and walked off with their own check for $15,000.

HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program sponsored Pwn2Own and paid out the cash prizes. TippingPoint purchases vulnerabilities and exploits used at the contest, then reports them to vendors. It gives companies six months to patch a flaw before going public with any technical information.

The update to Mac OS X 10.6.7 fixed several non-security bugs, including issues in the AirPort Wi-Fi driver, and offered numerous enhancements, such as a reliability improvement to MobileMe's Back to Mac remote access technology.

Users of new MacBook Pro notebooks also received a fix that Apple said would "improve graphics stability and external display compatibility" in the laptops, Apple's first to boast processors from Intel's new Sandy Bridge line.

Apple's support forum has been flooded with complaints that the new MacBook Pros lock up when stressed by graphics processing chores.

Mac OS X 10.6.7 and the separate 2011-001 security update for Leopard can be downloaded at the Apple site or installed using the operating system's integrated update service.

The update downloads weigh in between 241MB and 475MB for the client versions of Snow Leopard and Leopard.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Copyright © 2011 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon