Update: Apple patches Safari's $10,000 bug, fixes other flaws

Eagle-eyed security types may have known of bug for weeks, says contest winner

Apple Inc. yesterday patched four flaws in its Safari browser, including the critical vulnerability used by a researcher last month to hack a MacBook Air and claim a $10,000 check at the "Pwn 2 Own" contest.

This is the second time in the past four weeks that Apple has patched its browser.

Safari 3.1.1, released on Wednesday in versions for both Mac OS X and Windows users, plugged four holes altogether. All were present in the Windows XP and Vista editions; the Mac version, however, sported just two.

One of those, however, was used by Charlie Miller three weeks ago to break into a MacBook Air laptop on the second day of the hacker challenge held at the CanSecWest security conference. The bug that Miller used was in WebKit's handling of JavaScript regular expressions.

WebKit is the open-source project that provides the core engine for Apple's browser, as well as rendering code for other Mac OS X applications, including Mail and Dashboard.

On Thursday, Miller said that he and two colleagues at Independent Security Evaluators LLC (ISE), a Baltimore-based security consulting company, dug up the JavaScript vulnerability in WebKit two or three weeks before the contest. "They fixed the bug in the [WebKit] source code the next day," said Miller today. "I couldn't say anything about that until now, but if you'd been paying attention, you would have known about the Safari bug for the last three weeks."

In exchange for the $10,000 prize awarded by 3Com Corp.'s TippingPoint unit, which runs a bug bounty program called the Zero Day Initiative (ZDI), Miller and his fellow researchers turned over the vulnerability and signed a nondisclosure agreement that prevented them from discussing their findings until the bug was patched.

Apple also patched a cross-site scripting vulnerability, an address-bar spoofing bug and a flaw in Safari's file downloading in the 3.1.1 release. The first was fixed in both the Mac and Windows versions, but the second and third existed only in the Windows edition.

Two of the four vulnerabilities were labeled as possibly leading to "arbitrary code execution," which is Apple's way of saying "critical."

Although the winning Pwn 2 Own vulnerability is sure to get the most attention, Miller thought he'd been foiled before the contest even kicked off. "A few days after we found the [JavaScript regular expression] bug, we thought WebKit had found it. 'Oh, no,' I thought. But it wasn't the same [vulnerability]."

Not surprisingly, Miller praised the Pwn 2 Own concept. "We wouldn't have looked for the bug if not for the contest," he said. "We found it, we reported it, and it's now fixed. It would still be in the WebKit code without the contest."

Safari 3.1.1 can be downloaded from Apple's Web site in versions for Mac OS X 10.4 (Tiger), Mac OS X 10.5 (Leopard), Windows XP and Windows Vista.

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon