Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches
With obvious eyes on this year's CanSecWest Pwn2Own hacker challenge, Apple today dropped two major security updates for Safari and iOS to fix more than 60 vulnerabilities that could be used to hijack Windows, Mac OS X or iPhone/iPod Touch devices.
The patches arrive on the same day of the annual contest, which pits vulnerability researchers and exploit writers against the major web browsers and smart phones. Apple has now followed Google and Mozilla in releasing browser updates ahead of Pwn2Own.
The new Apple Safari 5.0.4 fixes a total of 62 documented vulnerabilities, most serious enough to allow code execution attacks if a user simply surfs to a booby-trapped web site. The majority of the vulnerabilities are in WebKit, the open-source browser rendering engine.
The Safari update also fixes multiple gaping holes in ImageIO and libxml.
Separately, Apple shipped iOS 4.3 to fix a wide range of serious security issues. The most serious of the iOS flaws could be used to take control of Apple's iPhone devices with maliciously crafted fonts, images or web sites. Full details on the iOS 4.3 update available here.
Apple's latest patches are unlikely to be a deterrent to some of the researchers planning to participate in Pwn2Own.
Earlier today, Charlie Miller (of Pwn2Own/Safari fame) showed me an iPhone 4 exploit that steals the victim's address book via a rigged web site. Miller said the latest batch of patches from Apple does not fix the issue.
In addition to Miller, there are at least two other teams planning iPhone attacks and four different teams planning to hit Safari on Mac OS X.