JUST IN: As end of Q2 nears, IBM employees fret 'resource actions'

Topic: Security

Discover

Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches

Summary: With obvious eyes on this year's CanSecWest Pwn2Own hacker challenge, Apple today dropped two major security updates for Safari and iOS to fix more than 60 vulnerabilities that could be used to hijack Windows, Mac OS X or iPhone/iPod Touch devices.

Ryan Naraine

By for Zero Day |

VANCOUVER -- With obvious eyes on this year's CanSecWest Pwn2Own hacker challenge, Apple today dropped two major security updates for Safari and iOS to fix more than 60 vulnerabilities that could be used to hijack Windows, Mac OS X or iPhone/iPod Touch devices.

The patches arrive on the same day of the annual contest, which pits vulnerability researchers and exploit writers against the major web browsers and smart phones.  Apple has now followed Google and Mozilla in releasing browser updates ahead of Pwn2Own.follow Ryan Naraine on twitter

The new Apple Safari 5.0.4 fixes a total of 62 documented vulnerabilities, most serious enough to allow code execution attacks if a user simply surfs to a booby-trapped web site.   The majority of the vulnerabilities are in WebKit, the open-source browser rendering engine.

Google Chrome gets last-minute bandaid before Pwn2Own

The Safari update also fixes multiple gaping holes in ImageIO and libxml.

Separately, Apple shipped iOS 4.3 to fix a wide range of serious security issues.  The most serious of the iOS flaws could be used to take control of Apple's iPhone devices with maliciously crafted fonts, images or web sites.  Full details on the iOS 4.3 update available here.

Questions for Pwn2Own hacker Charlie Miller

Apple's latest patches are unlikely to be a deterrent to some of the researchers planning to participate in Pwn2Own.

Earlier today, Charlie Miller (of Pwn2Own/Safari fame) showed me an iPhone 4 exploit that steals the victim's address book via a rigged web site.   Miller said the latest batch of patches from Apple does not fix the issue.

In addition to Miller, there are at least two other teams planning iPhone attacks and four different teams planning to hit Safari on Mac OS X.

Also read Dennis Fisher's essay on the importance of the Pwn2Own challenge.

Topics: Security, Apple, Operating Systems

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

40 comments
Log in or register to join the discussion

  • RE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches

    Why did they wait for there to be 62 vulnerabilities to release patches?
    Admin71
    Reply Vote

    • RE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches

      @Bookmark71 I guess noone uses safari as much as IE or Firefox so it might not got much attention from the hackers.
      Well if not for iphone i think safari would have never gained any browser market share.
      coolnerd16
      Reply Vote

      • Apple's answer to security

        @coolnerd16 Apple has lived a long time under the hood of "security by obscurity"
        Apple's answer to security has to change
        btw... where are all the Apple FanBoys at?
        riveroad
        Reply Vote

    • RE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches

      @Bookmark71 <br><br>From what I've seen Apple generally puts quite a few fixes in their patches before releasing them.<br><br>I just hope that these companies aren't holding back on critical patches just to try to look good in a contest.
      Badgered
      Reply Vote

    • RE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches

      @Bookmark71

      this is bloody news making ...
      desilvav
      Reply Vote

    • RE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches

      @Bookmark71 apple is on a quarterly update schedule, they dont care about how secure their products are, its just the number that have been found since the last round of udpates, another reason apple will never work its way into the enterprise or my home, even M$ release patches once a month, and I get updates from ubuntu about once a week, but open source software is SOOOOOOO poorly written and never updated...
      nickdangerthirdi@...
      Reply Vote

      • RE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches

        @nickdangerthirdi@... <br><br>Are you using the same antivirus in Ubuntu as I use in OSX?<br><br>i.e. None.
        alsobannedfromzdnet
        Reply Vote

    • maybe because the prospect of EXPLOITS is low?

      @Bookmark71 Vulnerabilities are just theoretical.. where are the exploits? Where are the exploits in the wild? Apple seems to have a pretty good record of fixing vulnerabilities before exploits in the wild are hatched for them
      doctorSpoc
      Reply Vote

      • I still don't understand...

        @doctorSpoc ...why they don't just go to a monthly schedule and release a smaller number each month rather than these mega patches. It seems to me the number of updates is so large as to almost constitute a service pack type of release.
        cornpie
        Reply Vote

    • Timed for the Pwn2Own challenge

      Clearly the release was timed for the challenge, not because of a magic 62 vulnerabilities.

      Whilst it might block a few for the less qualified hackers, there will be enough bugs remaining for the others to work with.

      It won't just be Apple going down.
      Richard Flude
      Reply Vote

    • RE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches

      @Bookmark71 Because Apple and Google are not mature enterprise companies with regularly, predictable scheduled releases that allows enterprises to plan for these events like Microsoft. Apple and Google are more interested in the market and the brand.
      Your Non Advocate
      Reply Vote

    • Because if they did it earlier hackers would have time

      @Bookmark71
      to find other hacks after these are fixed. Wait till the last second and they stop weeks worth of work and hackers don't have time to find others the contest is over by the time the other hols are found.

      Then apple can say "look - we can't be hacked"
      Will Farrell
      Reply Vote

      • RE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches

        @Will Farrell
        Didn't work though did it. Safari still got pwned easily.
        A.Sinic
        Reply Vote

    • RE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches

      @Bookmark71 becaues they thought they were slick and they were gonna patch the holes that the hackers were going to use to pwn their vulnerable crap
      Jimster480
      Reply Vote

  • RE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches

    @riveroad - is it security through obscurity? I actually see it as low risk due to relative infrequency of actual compromise.
    alex@...
    Reply Vote

    • Yes, it is.

      @alex@...: [i]is it security through obscurity?[/i]

      That's about all it is.
      ye
      Reply Vote

      • That's the simplistic approach...

        ...Micro$oft fanboys use to belittle Apple & Linux security.

        Once they spread enough FUD about that, they hope they can lure people back to using windoze since security will no longer be a trump card for those using non-M$ systems.

        It's the only thing windoze fanboys have since they have nothing but swiss cheese security to hang on to.
        cat o nine tails
        Reply Vote

  • Another Monster, Mega or Massive patch drop from Apple.

    I love how Apple drops massive patch downloads several times a year, but this site will highlight ONE Microsoft patch as headline news, even though it requires the user to be coerced into doing something to make it work.
    These are far more serious and dangerous but blogged only as a side to the Cansecwest, as though Apple was in control and knew just what they were doing and when they needed to do it.
    WebKit sounds like a real piece of garbage. I am staying with IE all the way at this point. I loaded Chrome but I don't see where it's at all noticably faster than any other browser. I found it slower than IE on my Windows 7 machine.
    I would never touch Safari, like any other Apple software, it's not fit for use in the real world.

    Someday when hackers decide it's time to go after Apple the headline is going to still read Massive, mega or Monster, but it will be talking about the scope of the hacked machines. If nation backed or other independently funded hackers put even 1/2 as much effort as they currently put into trying to disprupt things via Windows the Apple world would come to a halt.
    Thank God Apple is not running anything important but rather just another consumer electronics player.
    xuniL_z
    Reply Vote

    • You understand that chrome uses webkit as well right? Lol

      @xuniL_z ...
      doctorSpoc
      Reply Vote

      • RE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches

        @doctorSpoc
        I read the 2 statements about Webkit and Chrome to be together. Anyway, I have always seen Chrome as faster than IE But IE is more compatable with corporate apps.
        Turd Furgeson
        Reply Vote
CNET Join | Log In | Privacy | Cookies Close