We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,812 News Articles

Safari patch tackles hack-the-Mac flaw

Apple patches $10,000 prize-winning bug

Apple has patched for its Safari web browser to fix the flaw uncovered at the CanSecWest security conference's hack-the-Mac contest.

The flaw was exploited by Independent Security Evaluators Researcher Charlie Miller to gain access to Apple's MacBook Air three weeks ago. It lies in the WebKit open-source HTML rendering engine used by Safari and several other Mac OS X programs.

The bug lay in the way WebKit would process certain specially crafted JavaScript commands. In order to exploit the flaw, Miller had to first make the contest organisers visit a special website that contained his malicious JavaScript code.

See also:

Hacker uses Safari to crack Mac OS X

Linux defeats hackers, but Vista & Mac OS X fall

There was one other winner in the CanSecWest PWN 2 OWN contest, which invited hackers to try to break into Windows and Linux systems, as well as the MacBook Air. Shane Macaulay, a researcher with the Security Objectives consultancy, hacked into a Vista machine using an Adobe Flash Player bug, which was patched last week.

WebKit is also part of Apple's Dashboard and Mail software. An Apple spokesman could not say whether users of those products were also at risk from this attack.

Miller said anything that used an older version of WebKit would be vulnerable. This might include Linux browsers and mobile-phone browsers, he said.

A second WebKit flaw, patched on Wednesday, could lead to a cross-site scripting attack, in which an attacker can do things such as steal the login credentials or log the keystrokes of a victim.

Both the Windows and Mac OS X versions of Safari are vulnerable to these WebKit flaws, Apple said in its security advisory.

The Safari 3.1.1 update also includes fixes for a pair of Safari-for-Windows vulnerabilities that could possibly be exploited by attackers to run unauthorised software on a victim's computer and to make a fake phishing web page appear to have a legitimate web address.

Related articles:

Apple MacBook Air review

All MacBook reviews


IDG UK Sites

45 Best Android games: top Android games for your smartphone or tablet in 2014 (24 are free!)

IDG UK Sites

How Apple, Adobe, Microsoft and others have let us down over UltraHD and hiDPI screens

IDG UK Sites

Miranda July's Somebody app offers a very unusual take on messaging

IDG UK Sites

iPad Pro release date, rumours and leaked images - 12.9 screen 'coming in 2015'