Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Apple patches Safari's Pwn2Own vulnerability, two-dozen other critical bugs

Gregg Keizer | April 3, 2014
Cupertino again leaves Snow Leopard users out in the cold by omitting fixes for Safari 5.1.10.

Apple on Tuesday patched the security vulnerability in Safari that was successfully exploited at last month's Pwn2Own hacking contest, where a team cracked the browser to win $65,000.

The Cupertino, Calif. company seeded updates for both Safari 6 and Safari 7 yesterday, promoting the former to version 6.1.3 and the latter to 7.0.3.

Safari 6.x runs on OS X 10.7, aka Lion, and OS X 10.8, better known as Mountain Lion. Safari 7.x runs on OS X 10.9, or Mavericks.

Apple patched 27 vulnerabilities in Safari 6 and Safari 7, all in WebKit, the open-source browser engine that powers Safari, and all but one considered critical in that they could allow, the company said, "arbitrary code execution," Apple's terminology for the most serious bugs.

Among the 27 was the one used by "Keen Team," a Shanghai-based group of security researchers who hacked Safari on the second day of this year's Pwn2Own, held March 12-13 at the CanSecWest security conference in Vancouver, British Columbia.

Of the others, more than half were reported by the Google Chrome security team, which still works on WebKit, even though Google's browser has switched to a different fork, dubbed "Blink," for its foundation.

Another was attributed to French vulnerability seller Vupen, which also sent a team to Pwn2Own. Vupen hacked several targets, including Chrome, Adobe Reader and Adobe Flash, and Microsoft's Internet Explorer, taking home $400,000 of the total contest payout of $850,000. The bug patched in WebKit -- and thus in Safari -- was one of several used by Vupen to exploit Chrome.

Tuesday's Safari update was the second since December that omitted patches for Safari 5.1.10, Apple's most-current browser for OS X 10.6 Snow Leopard, the 2009 operating system that Apple has stopped supporting with security fixes.

Apple delivered the final security update for Snow Leopard in September 2013.

Last month, Apple made it even plainer that it had stopped supporting Snow Leopard, patching 33 vulnerabilities in Lion, Mountain Lion and Mavericks, but fixing none of the same flaws in Snow Leopard. Many OS X 10.6 users refused to believe that Apple had stopped fixing the operating system, and in comments appended to a February story in Computerworld argued that the flaws didn't exist in Snow Leopard and because Apple continues to sell Snow Leopard on its e-store it must still be supporting the five-year-old OS.

In fact, many of the vulnerabilities patched last month in other editions do exist in Snow Leopard: Apple fixed numerous bugs in the core components of those versions -- including Apple's own QuickTime and open-source bits like Apache and PHP -- that are part of every Mac operating system, Snow Leopard included.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.