Print this page
Hoping not to lose Pwn2Own contest
Apple, which is always embarrassed at the speed that hackers can turn over its machines at the annual Pwn2Own contest has rushed out a serious of Safari patches.
The move, which a cynic would say was simply to prevent Jobs' Mobs' security been shown up to be marketing spin again, required more than 16 vulnerabilities that Apple did not admit to be patched. Apple has done a good job of convincing punters, in the face of evidence, that its machines are more secure than Windows.
Apple issued patches for 16 vulnerabilities in Safari, including 12 bugs that could be used to execute code on a vulnerable machine and potentially take full control. Apple said that nine of the 16 flaws rested in Webkit, Safari’s open-source browser engine, and all but one of those can be exploited to execute arbitrary code on a victim’s machine.
Seven deal with what Apple called “use-after-free” issues tied to Webkit’s handling of incorrectly nested HTML tags, its parsing of XML documents and its handling of HTML elements and callbacks for those elements. Four of the fixes are in the ImageIO component. The most serious of these are memory corruption and buffer overflow vulnerabilities attackers could exploit with malicious TIFF images to compromise users and execute arbitrary code. Both the other ImageIO patches deal with uninitialized memory access issues tied to the component’s handling of BMP and TIFF images, respectively.
There is also a heap buffer overflow vulnerability in the ColorSync component, a cookie handling issue in PubSub and a problem with Safari's handling of external URL schemes. It can't be a coincidence that the patches are released two weeks ahead of the Pwn2Own 2010 hacking challenge. In the challenge security experts try to bring down the security of Safari, Microsoft Internet Explorer, Mozilla Firefox and Google Chrome in a battle for $40,000 in prize money. The contest, which also includes a smartphone challenge for $60,000, will be held March 24-26 at the CanSecWest security conference in Vancouver, B.C.
Every year Apple machines have been the laughing stock of the conference usually being broke into within seconds.
Published in
News
Apple rushes out Safari patch
Hoping not to lose Pwn2Own contest
Apple, which is always embarrassed at the speed that hackers can turn over its machines at the annual Pwn2Own contest has rushed out a serious of Safari patches.
The move, which a cynic would say was simply to prevent Jobs' Mobs' security been shown up to be marketing spin again, required more than 16 vulnerabilities that Apple did not admit to be patched. Apple has done a good job of convincing punters, in the face of evidence, that its machines are more secure than Windows.
Apple issued patches for 16 vulnerabilities in Safari, including 12 bugs that could be used to execute code on a vulnerable machine and potentially take full control. Apple said that nine of the 16 flaws rested in Webkit, Safari’s open-source browser engine, and all but one of those can be exploited to execute arbitrary code on a victim’s machine.
Seven deal with what Apple called “use-after-free” issues tied to Webkit’s handling of incorrectly nested HTML tags, its parsing of XML documents and its handling of HTML elements and callbacks for those elements. Four of the fixes are in the ImageIO component. The most serious of these are memory corruption and buffer overflow vulnerabilities attackers could exploit with malicious TIFF images to compromise users and execute arbitrary code. Both the other ImageIO patches deal with uninitialized memory access issues tied to the component’s handling of BMP and TIFF images, respectively.
There is also a heap buffer overflow vulnerability in the ColorSync component, a cookie handling issue in PubSub and a problem with Safari's handling of external URL schemes. It can't be a coincidence that the patches are released two weeks ahead of the Pwn2Own 2010 hacking challenge. In the challenge security experts try to bring down the security of Safari, Microsoft Internet Explorer, Mozilla Firefox and Google Chrome in a battle for $40,000 in prize money. The contest, which also includes a smartphone challenge for $60,000, will be held March 24-26 at the CanSecWest security conference in Vancouver, B.C.
Every year Apple machines have been the laughing stock of the conference usually being broke into within seconds.