UPDATE: Can Apple Safari avoid another Pwn2Own embarrassment?
Apple has shipped a new version of its Safari browser with fixes for 16 serious security vulnerabilities but, based on what I’m hearing, this patching frenzy may not be enough to avoid another embarrassment at this year’s CanSecWest Pwn2Own hacker challenge.
The newest Safari 4.0.5 update, available for Windows and Mac OS X, patches several flaws that could lead to remote code execution if a user simply surfs to a rigged Web site. These are exactly the kinds of drive-by download attack vulnerabilities that typically used to attack Safari in the Pwn2Own contest.
At the RSA Conference last week, I spent a few minutes talking to hacker Charlie Miller about his plans for this year’s contest and he was quite blunt about the fact that he’s going to CanSecWest with a few Safari zero-day flaws in his back pocket.
Since Miller (almost) never reports vulnerabilities to software vendors, it’s a safe bet those flaws will remain unpatched until after the Pwn2Own contest, which is scheduled for the end of this month. Miller exploited Safari vulnerabilities to win the contest in 2008 and 2009.
This year’s challenge will have a big focus on mobile devices. The organizers have put up a $60,000 bounty to entice hackers to exploit vulnerabilities on iPhones, Android, Nokia and BlackBerry smartphones. However, the Web browser is still in play with Safari on Mac and Safari on Windows on the list of targets.
"Safari 5 has been a big hit, and user response to the innovative new Safari Reader has been fantastic," said Brian Croll, Apple's vice president of OS X Product Marketing. "We're thrilled to see so many leading developers creating great extensions and think our users are going to love being able to customize Safari."
Safari is a web browser developed by Apple Inc. and included with the Mac OS X and iOS operating systems. First released as a public beta on January 7, 2003 on the company's OS X operating system, it became Apple's default browser beginning with Mac OS X v10.3 "Panther". Safari is also a native browser for iOS.
A version of Safari for the Microsoft Windows operating system was first released on June 11, 2007, and supported Windows XP Service Pack 2, or later but it has been discontinued....