UPDATE: Can Apple Safari avoid another Pwn2Own embarrassment?
Apple has shipped a new version of its Safari browser with fixes for 16 serious security vulnerabilities but, based on what I’m hearing, this patching frenzy may not be enough to avoid another embarrassment at this year’s CanSecWest Pwn2Own hacker challenge.
The newest Safari 4.0.5 update, available for Windows and Mac OS X, patches several flaws that could lead to remote code execution if a user simply surfs to a rigged Web site. These are exactly the kinds of drive-by download attack vulnerabilities that typically used to attack Safari in the Pwn2Own contest.
At the RSA Conference last week, I spent a few minutes talking to hacker Charlie Miller about his plans for this year’s contest and he was quite blunt about the fact that he’s going to CanSecWest with a few Safari zero-day flaws in his back pocket.
Since Miller (almost) never reports vulnerabilities to software vendors, it’s a safe bet those flaws will remain unpatched until after the Pwn2Own contest, which is scheduled for the end of this month. Miller exploited Safari vulnerabilities to win the contest in 2008 and 2009.
This year’s challenge will have a big focus on mobile devices. The organizers have put up a $60,000 bounty to entice hackers to exploit vulnerabilities on iPhones, Android, Nokia and BlackBerry smartphones. However, the Web browser is still in play with Safari on Mac and Safari on Windows on the list of targets.
Read Full Story: http://blogs.zdnet.com/security/?p=5709
More Info.......... Link Removed - Invalid URL