ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Can Apple Safari avoid another Pwn2Own embarrassment?

By | March 12, 2010, 10:12am PST

Summary: Apple has released a critical Safari security update but, based on what I’m hearing, this patching frenzy may not be enough to avoid another embarrassment at this year’s CanSecWest Pwn2Own hacker challenge.

Apple has shipped a new version of its Safari browser with fixes for 16 serious security vulnerabilities but, based on what I’m hearing, this patching frenzy may not be enough to avoid another embarrassment at this year’s CanSecWest Pwn2Own hacker challenge.

The newest Safari 4.0.5 update, available for Windows and Mac OS X, patches several flaws that could lead to remote code execution if a user simply surfs to a rigged Web site.  These are exactly the kinds of drive-by download attack vulnerabilities that typically used to attack Safari in the Pwn2Own contest.

At the RSA Conference last week, I spent a few minutes talking to hacker Charlie Miller about his plans for this year’s contest and he was quite blunt about the fact that he’s going to CanSecWest with a few Safari zero-day flaws in his back pocket.follow Ryan Naraine on twitter

Since Miller (almost) never reports vulnerabilities to software vendors, it’s a safe bet those flaws will remain unpatched until after the Pwn2Own contest, which is scheduled for the end of this month. Miller exploited Safari vulnerabilities to win the contest in 2008 and 2009.

This year’s challenge will have a big focus on mobile devices.  The organizers have put up a $60,000 bounty to entice hackers to exploit vulnerabilities on iPhones, Android, Nokia and BlackBerry smartphones. However, the Web browser is still in play with Safari on Mac and Safari on Windows on the list of targets.

[ SEE: Questions for Pwn2Own hacker Charlie Miller ]

Miller isn’t the only one discovering high-risk Safari vulnerabilities.  Just two weeks ago, a hacker known as “wushi” from team509 sold eight critical Safari vulnerabilities to TippingPoint Zero Day Initiative (ZDI), a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors.  Incidentally, ZDI is the sponsor of the Pwn2Own challenge.

A ZDI representative told me there are many more unpatched Safari vulnerabilities in its processing queue.  It should be noted that “wushi” is credited with a few of the WebKit bugs fixed in the latest Safari release.

Here’s the list of remote code execution flaws fixed with the new Safari 4.0.5:

  • ColorSync – An integer overflow, that could result in a heap buffer overflow, exists in the handling of images with an embedded color profile. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution.
  • ImageIO – A buffer underflow exists in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
  • ImageIO – A memory corruption issue exists in the handling of TIFF images. Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
  • Safari – An issue in Safari’s handling of external URL schemes may cause a local file to be opened in response to a URL encountered on a web page. Visiting a maliciously crafted website may lead to arbitrary code execution.
  • WebKit –  A memory corruption issue exists in WebKit’s handling of CSS format() arguments. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
  • WebKit – Several use-after-free issues exist in the handling of HTML object element fallback content. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. (These issues are credited to wushi of team509, working with TippingPoint’s Zero Day Initiative).
  • WebKit – Two different use-after-free issues exist in WebKit’s handling of callbacks for HTML elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Found internally by Apple security engineers.

Safari 4.0.5 is available via the Apple Software Update application or Apple’s Safari download site.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple Safari, Vulnerability, Apple Inc., Arbitrary Code Execution, Safari 4.0.5, WebKit, Application Termination, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
102
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Can Apple Safari avoid another Pwn2Own embarrassment?
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat
View in thread
0 Votes
+ -
Hardly worth calling Pwn2Own when they don't include Linux...
DTS Linux Advocate 12th Mar 2010
Lame.
0 Votes
+ -
Uh, scuse me?
Lerianis10 12th Mar 2010
Last year they DID include Linux, and it was hacked as well.
0 Votes
+ -
'scuse you.
AzuMao 12th Mar 2010
' s c
u s e you.
0 Votes
+ -
Linux has not been hacked you fool (M$ tool)!
i2fun@... 16th Mar 2010
If it has it's news to the NSA you fool. Quit
spreading your rubbage without links or proof!

I just search it out and to date Linux has only
been hacked itself in a lab and then quickly
patched by the NSA with Secure Linux SELinux!

Hasn't been touched since nor has it ever been
infected in the Wild! wink
  • Flagged
0 Votes
+ -
Right...
LiquidLearner 16th Mar 2010
Linux has "never" been hacked? Wow... That's funny. I think you forgot your SarcMark
0 Votes
+ -
Not lame.
AzuMao 12th Mar 2010
Good business sense.
Pwn2Own probably get tons of money from Microsoft and Apple to not let in competitors like Linux-based OSs.
Wouldn't you make the same decision in their position?
0 Votes
+ -
No, they just don't get money from the Linux Foundation
DevGuy_z 13th Mar 2010
Apple and MS aren't keeping them out. The conference would welcome donations from LF.

Keep in mind these guys do this for bragging rights. Behind the scenes they make money doing this - off Apple and Microsoft. So they specialize where the money is. And that's not me talking, that's what they've said. No money from Linux no work on breaking linux.
0 Votes
+ -
Yes, because a non-profit organization with 41 members should be able to..
AzuMao 13th Mar 2010
..shell out as much cash as Apple and Microsoft. Right.

They just don't want to, because they're greedy as hell. That must be it.
0 Votes
+ -
CUE THE DOUBLE STANDARDS!!
Arm A. Geddon 12th Mar 2010
wink
0 Votes
+ -
RIGHT, BECAUSE PWN2OWN USUALLY EXCLUDES WINDOWS AND MAC.
AzuMao 12th Mar 2010
0 Votes
+ -
Obvious
dev-null 13th Mar 2010
Since Linux is absolutely totally completely un-hackable, has never been hacked, and never ever ever will be hacked, it would only bring shame to everyone involved so of course it gets left out. Did you know that even if you have physical access and the root password, you STILL can't hack Linux ?????????
0 Votes
+ -
Your straw-man is weak.
AzuMao 13th Mar 2010
Perfection isn't necessary to make OSX and Windows look like garbage in comparison.
0 Votes
+ -
Straw Man
dev-null 13th Mar 2010
My comment was meant to be a parody on over-zealous advocates of OS'es, sorry if it came across as a SM argument. Some of the regular posters here are sure tiresome.
0 Votes
+ -
They aren't mutually exclusive.
AzuMao 13th Mar 2010
Windows apologists posting ridiculous straw-men like you just did are tiresome indeed.

Hint; nobody said Linux was perfect, just that it's not as crappy as the others.
0 Votes
+ -
Read Other Dev-Null Posts ...
PMC-CON 16th Mar 2010
He reiterates how crappy Linux is. You are just annoying - smug, with no teaching at all, just cant.
  • Flagged
0 Votes
+ -
So you're trying to say..
AzuMao 16th Mar 2010
Since Linux is absolutely totally completely
un-hackable, has never been hacked, and never
ever ever will be hacked, it would only bring
shame to everyone involved so of course it gets
left out. Did you know that even if you have
physical access and the root password, you STILL
can't hack Linux ?????????

..that the above isn't a useless, spammy, off-
topic straw-man argument?
0 Votes
+ -
Luser OSes need not apply...
Qbt Updated - 14th Mar 2010
.
0 Votes
+ -
And since
apostate 15th Mar 2010
Linux has been the Winner, not the "Luser" every time it was included...what does that say about Windows and Mac?

Thanks, for that clarification.
0 Votes
+ -
some more clarification...
FutureGuy 15th Mar 2010
...you might not like. In the last contest Vista was taken at the very end using a bug in Adobe flash on FF. It was later revealed that the same bug would have had the exact same effect on Linux. But they tried Vista first and one of the contest rules is the same bug can't be used on multiple platforms.

Why did they pick Vista? maybe cause they wanted to win a Vista machine and didn't care much for the Linux one?
0 Votes
+ -
Because it would have been harder to exploit it on Linux?
AzuMao 15th Mar 2010
I'm pretty sure AppArmor (installed by default on popular distros, and easy to install manually on others) wouldn't have let it do anything anyways.

If I'm wrong, all this says is that they're all equally "lusers".
If I'm right, just Windows and Mac are.
Either way, there's no excuse for excluding Linux other than Apple and/or Microsoft paying them to.
0 Votes
+ -
Prove Something, Prove ANYTHING
PMC-CON 16th Mar 2010
Talk is cheap. Walk the walk, prove just ONE of your points. Nit-picking argumentative posts relying on semantics are ... pointless.

So let's start: prove that MS and Apple pay to have their OSes hacked at this conference. Smug assertions that they do, in the face of their advertising campaigns emphasizing secuirty, is just ridiculous. We'd laugh but you're too easy a target. Just a PITA most of the time.
  • Flagged
0 Votes
+ -
Did you actually..
AzuMao 16th Mar 2010
..read the thread before commenting? It looks like you didn't even read my post.

Break-down for you;

DTS complains that Pwn2Own exclude Linux.
Qbt says that's because it's a "luser" OS (although Linux isn't even an OS).
Apostate points out Linux won when it was included, and Windows/OSX lost.
Futureguy says Linux would have lost too if it was attacked, and that the only reason it wasn't attacked is that Vista is preferred.
I pointed out another possible reason.

Then you came in flaming me.. why? You didn't even try to add anything to the discussion, yet you say my posts are painful to you, and don't even give any reason for that.

If you want me to prove the motivations of the hackers in that contest, I'm not going to be able to do so any more than the guy in the post I replied to could, because we're both just speculating.
0 Votes
+ -
RE: Can Apple Safari avoid another Pwn2Own embarrassment?
e_ecruz 12th Mar 2010
You have to get over it. Linux is irrelevant on the desktop, that is why is not included, got it? Clear?
0 Votes
+ -
If the desktop isn't connected to the Internet, sure.
AzuMao 12th Mar 2010
Both remotely executable vulnerabilities are irrelevant then.
0 Votes
+ -
YOUR POST IS IRRELEVANT!!
Arm A. Geddon 12th Mar 2010
GOT IT!! GOOD!!
0 Votes
+ -
Wow.. someone's a bit touchy.
TheWerewolf 13th Mar 2010
You might want to take a break from all that selfless and exhausting evangelism and prosyletising and relax a bit.
  • Flagged
0 Votes
+ -
Re: Touchy.
Arm A. Geddon 13th Mar 2010
Nah, was just having some fun. I've been doing this for awhile now. I
could really be bad. Just look at my username. wink
0 Votes
+ -
WebKit
hill60 12th Mar 2010
Apple could stop using or supporting WebKit and other open source
software and move to a closed model.

That way these show offs won't have access to the full software code in
order to spend months going over it looking for flaws.

I assume Chrome is also vulnerable to the same flaws.
0 Votes
+ -
Apple not using open source software
rtk 12th Mar 2010
would mean practically a total rebuild of their entire OS. That's not gonna happen.

Also, you are mistaken if you think not having the source code would hinder discovery of vulnerabilities.
0 Votes
+ -
Agreed. Obscurity != security.
AzuMao 12th Mar 2010
0 Votes
+ -
Unless you talk to hackers or have worked in the security industry.
DevGuy_z 13th Mar 2010
I've worked for two security firms and knew people who understood the hacker world. While I agree with you that obscurity != security. It does mean that the likelihood of being attacked is less. It is an issue of motivation and survival. The really serious guys that want to steal information will attack any kind of server whether unix, linux, windows or whatever - and do so successfully if you read the news. The glory seeking hackers will attack Windows desktops simply because they want their exploits and bots to survive.

Security is not so much which OS you use but what is between your ears. Any serious IT guy will know this. Much of the problem with Windows desktop is the user. People who tend to use linux are geeks like us and are bit more savvy security wise.

As I've pointed out in the server world, data shows that Windows servers have similar up-time to Linux. They do trail but it is interesting that the reason Windows trails is not due to crashing or compromise but due to the need to reboot after patching. An area that linux is clearly superior to Windows.
0 Votes
+ -
Why would it make the likelihood of attack less?
AzuMao 13th Mar 2010
It might make the likelihood of vulnerabilities being discovered white hats and fixed lower, but isn't exploit code usually written in assembly anyways? So how would have to disassemble instead of having access to the source be a significant impediment to the bad guys? That's the language they're going to be most familiar with, not C or .NET or whatever the program was written in.

Closed source = less fixes, same exploits.
0 Votes
+ -
Read and Stop Typing Aimlessly
PMC-CON 16th Mar 2010
http://philosecurity.org/2009/01/12/interview-with-an-adware-author
0 Votes
+ -
I've already read that.
AzuMao 16th Mar 2010
It's about someone writing nasties for.. a closed-source OS.
0 Votes
+ -
In which case..
AzuMao 12th Mar 2010
..the flaws would be left there indefinitely, only found by black hats (who are more used to working with disassembly than source code anyways).

Great idea not!
0 Votes
+ -
No embarrassment this year!
Trolleur 12th Mar 2010
There will be no Safari embarrassment this year!

Apple just fixed all the bugs in Safari!
0 Votes
+ -
BWAHAHAHAHAHAHHAHAHAHAHAHA . . . . .(nt)
JLHenry 12th Mar 2010
nt
0 Votes
+ -
You're worse than Loverock.
AzuMao 12th Mar 2010
At least he pretends to RTFA before posting his straw-mans, leading some to take them seriously.
0 Votes
+ -
look at his username. =) (n/t)
lostarchitect 12th Mar 2010
.
0 Votes
+ -
@DTS - Hey, don't go implying Linux can't be hacked
WinTard Updated - 12th Mar 2010
and in one fell sweep, invalidate all the positive contributions of the Pwn2Own contest?

With less than 1% of the market share after 18+ years in existence, who cares?

Linux doesn't get hacked that much, simply because it doesn't matter (to hackers at least).

http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=8
Windows 92.12%, Mac 5.02%, Linux 0.98%.

As for Linux vulnerabilities:
Google: http://www.google.com/search?q=linux+vulnerabilities
Results 1 - 10 of about 2,060,000 for linux vulnerabilities. (0.25 seconds)

http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1347186,00.html
http://secunia.com/advisories/search/?search=linux
Found: 9745 Secunia Security Advisories, displaying 1-25
http://web.nvd.nist.gov/view/vuln/search
There are 1,417 matching records. Displaying matches 1 through 20.
Google: http://www.google.com/search?q=linux+rootkit&oi=navquery_searchbox&sa=X&as_sitesearch=youtube.com
Results 1 - 10 of about 599 from youtube.com for linux rootkit. (0.35 seconds)

And on, and on {ad infinitum}...
0 Votes
+ -
Your post makes perfect sense.
AzuMao 12th Mar 2010
The machines controlling the core backbones of the Internet, and running most websites and other digital services, with OC-768 connections and higher, are completely irrelevant to hackers.

It simply makes much more sense for them to hack Joe Sixpack's desktop that has some free porn and a 56kb modem. Because free porn and Halo save-games are more valuable than banks and stock markets.



More is better, and comparing numbers of Google search results to judge actual occurrences of something is so totally scientific and factual, right?

So, you've only been wrong 13,800 times , where as the end of the world has already occurred 222,000,000 times.

Your solid arguments and keen logic have blown me away.

I bow down in awe to your supreme knowledge of the universe.
0 Votes
+ -
Actually, he is exactly right
Lerianis10 12th Mar 2010
Corporations have means with which they can find stuff if anything is 'out of the ordinary'.... Joe Sixpack on the other hand is liable to think that "Oh, I just forgot about something I bought!" unless the charge on his credit card is 1000 dollars or more, and let it go!
0 Votes
+ -
Heathen! Blasphemer! Heretic! How DARE you contradict Reverend WinTard?!?!?
AzuMao 12th Mar 2010
Look, his sacred scriptures have destroyed your insane lies.
0 Votes
+ -
@AzuMao - Your evangelism is way up there
WinTard 13th Mar 2010
Concerning OC-768, even OC-1 (Optical Carrier One) isn't controlled or serviced by Linux, but mainly nowadays by Cisco equipment.

And Cisco runs the Cisco IOS. Which by the way is simply QNX from http://www.qnx.com/ hardened and customized. QNX is a realtime-OS, Unix and Linux are certainly NOT realtime OS.

Didn't you know that?

Linux certainly has a place, just not at the top-level of the Internet.

And Apache, TCP/IP has nothing to do with Linux either.

BTW, what you accuse me of, you are guilty of perfectly; ironic isn't it?

~~~~~~~~~~
When you judge another, you do not define them, you define yourself.
~ Wayne Dyer, American motivational Speaker and Author of self-help best selling books. b.1940
0 Votes
+ -
You forgot
dev-null 13th Mar 2010
Juniper, which uses JunOS, derived from BSD - oh wait, that's not linux either. Never mind.
0 Votes
+ -
I'm guilty of being logical and making perfect sense?
AzuMao 13th Mar 2010
Because that's what I accused you of.
0 Votes
+ -
Witty Riposte (Not)
PMC-CON Updated - 16th Mar 2010
Semantic tricks are tiresome.
0 Votes
+ -
What are you referring to?
AzuMao 16th Mar 2010
Nothing in this thread is based on semantics.

Did you mean sarcasm?

They both start with s, so your confusion is
understandable.
0 Votes
+ -
It doesn't matter.
lostarchitect 12th Mar 2010
This stuff is good for all systems. These guys expose
issues; The issues get fixed. Good news for all users.
0 Votes
+ -
When the product reputation is built...
Feldwebel Wolfenstool 12th Mar 2010
...upon intangibles, ultimately, this is all meaningless to the faithful.
0 Votes
+ -
RE: Can Apple Safari avoid another Pwn2Own embarrassment?
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix