Can Apple Safari avoid another Pwn2Own embarrassment?
The newest Safari 4.0.5 update, available for Windows and Mac OS X, patches several flaws that could lead to remote code execution if a user simply surfs to a rigged Web site. These are exactly the kinds of drive-by download attack vulnerabilities that typically used to attack Safari in the Pwn2Own contest.
At the RSA Conference last week, I spent a few minutes talking to hacker Charlie Miller about his plans for this year's contest and he was quite blunt about the fact that he's going to CanSecWest with a few Safari zero-day flaws in his back pocket.
Since Miller (almost) never reports vulnerabilities to software vendors, it's a safe bet those flaws will remain unpatched until after the Pwn2Own contest, which is scheduled for the end of this month. Miller exploited Safari vulnerabilities to win the contest in 2008 and 2009.
This year's challenge will have a big focus on mobile devices. The organizers have put up a $60,000 bounty to entice hackers to exploit vulnerabilities on iPhones, Android, Nokia and BlackBerry smartphones. However, the Web browser is still in play with Safari on Mac and Safari on Windows on the list of targets.
[ SEE: Questions for Pwn2Own hacker Charlie Miller ]
Miller isn't the only one discovering high-risk Safari vulnerabilities. Just two weeks ago, a hacker known as "wushi" from team509 sold eight critical Safari vulnerabilities to TippingPoint Zero Day Initiative (ZDI), a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors. Incidentally, ZDI is the sponsor of the Pwn2Own challenge.
A ZDI representative told me there are many more unpatched Safari vulnerabilities in its processing queue. It should be noted that "wushi" is credited with a few of the WebKit bugs fixed in the latest Safari release.
Here's the list of remote code execution flaws fixed with the new Safari 4.0.5:
- ColorSync -- An integer overflow, that could result in a heap buffer overflow, exists in the handling of images with an embedded color profile. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution.
- ImageIO -- A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
- ImageIO -- A memory corruption issue exists in the handling of TIFF images. Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
- Safari -- An issue in Safari's handling of external URL schemes may cause a local file to be opened in response to a URL encountered on a web page. Visiting a maliciously crafted website may lead to arbitrary code execution.
- WebKit -- A memory corruption issue exists in WebKit's handling of CSS format() arguments. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
- WebKit -- Several use-after-free issues exist in the handling of HTML object element fallback content. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. (These issues are credited to wushi of team509, working with TippingPoint's Zero Day Initiative).
- WebKit -- Two different use-after-free issues exist in WebKit's handling of callbacks for HTML elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Found internally by Apple security engineers.
Safari 4.0.5 is available via the Apple Software Update application or Apple's Safari download site.