Can Apple Safari avoid another Pwn2Own embarrassment?

Can Apple Safari avoid another Pwn2Own embarrassment?

Summary: Apple has released a critical Safari security update but, based on what I'm hearing, this patching frenzy may not be enough to avoid another embarrassment at this year's CanSecWest Pwn2Own hacker challenge.

SHARE:

Apple has shipped a new version of its Safari browser with fixes for 16 serious security vulnerabilities but, based on what I'm hearing, this patching frenzy may not be enough to avoid another embarrassment at this year's CanSecWest Pwn2Own hacker challenge.

The newest Safari 4.0.5 update, available for Windows and Mac OS X, patches several flaws that could lead to remote code execution if a user simply surfs to a rigged Web site.  These are exactly the kinds of drive-by download attack vulnerabilities that typically used to attack Safari in the Pwn2Own contest.

At the RSA Conference last week, I spent a few minutes talking to hacker Charlie Miller about his plans for this year's contest and he was quite blunt about the fact that he's going to CanSecWest with a few Safari zero-day flaws in his back pocket.follow Ryan Naraine on twitter

Since Miller (almost) never reports vulnerabilities to software vendors, it's a safe bet those flaws will remain unpatched until after the Pwn2Own contest, which is scheduled for the end of this month. Miller exploited Safari vulnerabilities to win the contest in 2008 and 2009.

This year's challenge will have a big focus on mobile devices.  The organizers have put up a $60,000 bounty to entice hackers to exploit vulnerabilities on iPhones, Android, Nokia and BlackBerry smartphones. However, the Web browser is still in play with Safari on Mac and Safari on Windows on the list of targets.

[ SEE: Questions for Pwn2Own hacker Charlie Miller ]

Miller isn't the only one discovering high-risk Safari vulnerabilities.  Just two weeks ago, a hacker known as "wushi" from team509 sold eight critical Safari vulnerabilities to TippingPoint Zero Day Initiative (ZDI), a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors.  Incidentally, ZDI is the sponsor of the Pwn2Own challenge.

A ZDI representative told me there are many more unpatched Safari vulnerabilities in its processing queue.  It should be noted that "wushi" is credited with a few of the WebKit bugs fixed in the latest Safari release.

Here's the list of remote code execution flaws fixed with the new Safari 4.0.5:

  • ColorSync -- An integer overflow, that could result in a heap buffer overflow, exists in the handling of images with an embedded color profile. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution.
  • ImageIO -- A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
  • ImageIO -- A memory corruption issue exists in the handling of TIFF images. Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
  • Safari -- An issue in Safari's handling of external URL schemes may cause a local file to be opened in response to a URL encountered on a web page. Visiting a maliciously crafted website may lead to arbitrary code execution.
  • WebKit --  A memory corruption issue exists in WebKit's handling of CSS format() arguments. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
  • WebKit -- Several use-after-free issues exist in the handling of HTML object element fallback content. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. (These issues are credited to wushi of team509, working with TippingPoint's Zero Day Initiative).
  • WebKit -- Two different use-after-free issues exist in WebKit's handling of callbacks for HTML elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Found internally by Apple security engineers.

Safari 4.0.5 is available via the Apple Software Update application or Apple's Safari download site.

Topics: Security, Apple, Operating Systems

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

102 comments
Log in or register to join the discussion
  • Hardly worth calling Pwn2Own when they don't include Linux...

    Lame.
    DTS Linux Advocate
    • Uh, scuse me?

      Last year they DID include Linux, and it was hacked as well.
      Lerianis10
      • 'scuse you.

        <a href=http://gizmodo.com/373779/linux-last-man-standing-in-pwn-2-own-thunderdome>'</a><a href=http://engadget.com/2008/03/29/linux-becomes-only-os-to-escape-pwn-2-own-unscathed/>s</a><a href=http://crunchgear.com/2008/03/29/pwn-2-own-linux-ftw/>c</a>
        <a href=http://informationweek.com/blog/main/archives/2009/03/where_was_linux.html>u</a><a href=http://linuxtoday.com/security/2008033000626SCDBDT>s</a><a href=http://pcworld.idg.com.au/article/210552/vista_breached_linux_unbeaten_hacking_contest/>e</a> you.
        AzuMao
      • Linux has not been hacked you fool (M$ tool)! :D

        If it has it's news to the NSA you fool. Quit
        spreading your rubbage without links or proof!

        I just search it out and to date Linux has only
        been hacked itself in a lab and then quickly
        patched by the NSA with Secure Linux SELinux!

        Hasn't been touched since nor has it ever been
        infected in the Wild! ;)
        i2fun
        • Right...

          Linux has "never" been hacked? Wow... That's funny. I think you forgot your SarcMark
          LiquidLearner
    • Not lame.

      Good business sense.
      Pwn2Own probably get tons of money from Microsoft and Apple to not let in competitors like Linux-based OSs.
      Wouldn't you make the same decision in their position?
      AzuMao
      • No, they just don't get money from the Linux Foundation

        Apple and MS aren't keeping them out. The conference would welcome donations from LF.

        Keep in mind these guys do this for bragging rights. Behind the scenes they make money doing this - off Apple and Microsoft. So they specialize where the money is. And that's not me talking, that's what they've said. No money from Linux no work on breaking linux.
        DevGuy_z
        • Yes, because a non-profit organization with 41 members should be able to..

          ..shell out as much cash as Apple and Microsoft. Right.

          They just don't want to, because they're greedy as hell. That must be it.
          AzuMao
    • CUE THE DOUBLE STANDARDS!!

      ;-)
      Arm A. Geddon
      • RIGHT, BECAUSE PWN2OWN USUALLY EXCLUDES WINDOWS AND MAC.

        [b] [/b]
        AzuMao
    • Obvious

      Since Linux is absolutely totally completely un-hackable, has never been hacked, and never ever ever will be hacked, it would only bring shame to everyone involved so of course it gets left out. Did you know that even if you have physical access and the root password, you STILL can't hack Linux ?????????
      dev-null
      • Your straw-man is weak.

        Perfection isn't necessary to make OSX and Windows look like garbage in comparison.
        AzuMao
        • Straw Man

          My comment was meant to be a parody on over-zealous advocates of OS'es, sorry if it came across as a SM argument. Some of the regular posters here are sure tiresome.
          dev-null
          • They aren't mutually exclusive.

            Windows apologists posting ridiculous straw-men like you just did are tiresome indeed.

            Hint; nobody said Linux was perfect, just that it's not as crappy as the others.
            AzuMao
          • Read Other Dev-Null Posts ...

            He reiterates how crappy Linux is. You are just annoying - smug, with no teaching at all, just cant.
            PMC-CON
          • So you're trying to say..

            [i]Since Linux is absolutely totally completely
            un-hackable, has never been hacked, and never
            ever ever will be hacked, it would only bring
            shame to everyone involved so of course it gets
            left out. Did you know that even if you have
            physical access and the root password, you STILL
            can't hack Linux ?????????[/i]

            ..that the above isn't a useless, spammy, off-
            topic straw-man argument?
            AzuMao
    • Luser OSes need not apply...

      .
      Qbt
      • And since

        Linux has been the Winner, not the "Luser" every time it was included...what does that say about Windows and Mac?

        Thanks, for that clarification.
        apostate
        • some more clarification...

          ...you might not like. In the last contest Vista was taken at the very end using a bug in Adobe flash on FF. It was later revealed that the same bug would have had the exact same effect on Linux. But they tried Vista first and one of the contest rules is the same bug can't be used on multiple platforms.

          Why did they pick Vista? maybe cause they wanted to win a Vista machine and didn't care much for the Linux one?
          FutureGuy
          • Because it would have been harder to exploit it on Linux?

            I'm pretty sure AppArmor (installed by default on popular distros, and easy to install manually on others) wouldn't have let it do anything anyways.

            If I'm wrong, all this says is that they're all equally "lusers".
            If I'm right, just Windows and Mac are.
            Either way, there's no excuse for excluding Linux other than Apple and/or Microsoft paying them to.
            AzuMao