We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Apple 'to patch Safari before Pwn2Own'

Clues point to update before hacking contest

Apple will patch its Safari browser before the Pwn2Own hacking contest kicks off next week, security researchers hinted.

If accurate, Apple will join both Google and Mozilla, which earlier this week issued security updates for Chrome and Firefox as preparation for Pwn2Own.

Apple patched a record 57 vulnerabilities in its iTunes music software; 50 of those bugs were attributed to WebKit, the open-source browser engine that Safari's built on. iTunes relies on WebKit to render its online store component.

"Anti-pwn2own again: Apple fixed a record of 50 vuln[erabilities] in WebKit (iTunes), and is preparing the update for Safari/Mac OS X," said French security firm Vupen in a message on its Twitter account.

Vupen's mention of Pwn2Own refers to the annual hacking contest held at the CanSecWest security conference. This year's Pwn2Own runs March 9 to 11.

At Pwn2Own, security researchers will compete for $65,000 in prizes by trying to take down the most up-to-date editions of Safari 5, Google's Chrome 9, Microsoft's Internet Explorer 8 and Mozilla's Firefox 3.6.

It's not unusual for Apple to patch WebKit flaws in one application before it rolls out those same fixes for another. In the past, however, it's usually patched WebKit vulnerabilities in Safari before addressing them in iTunes.

Other clues to an upcoming Safari update came from HP TippingPoint  -  coincidentally the sponsor of Pwn2Own   which issued advisories on two WebKit bugs patched in iTunes yesterday. The bugs were originally reported to TippingPoint's Zero Day Initiative (ZDI) bug bounty program; ZDI passed the reports to Apple last October.

Both the advisories said that attackers could exploit the bugs to "execute arbitrary code on vulnerable installations of Apple ... WebKit" and that the vulnerabilities could be triggered using "drive-by" tactics that only require a victim to visit a malicious website.

Another hint that Safari will be patched soon came from the iTunes advisory posted by Apple. None of the 50 WebKit bugs listed in the advisory were accompanied by the usual terse Apple description; instead, Apple only noted the CVE (Common Vulnerabilities and Exposures) identifying number and the researcher(s) who first reported the flaw.

More than 30 of the 50 WebKit vulnerabilities were credited to Google researchers and developers. Google's Chrome, like Safari, is built on the WebKit engine.

If Apple patches Safari, it will be the third browser to update this week.

Google patched 19 bugs in Chrome and Mozilla followed that with an 11-patch update to Firefox .

Last year, only Apple and Google updated their browsers just before Pwn2Own. Mozilla acknowledged a critical vulnerability in Firefox less than a week before 2010's contest, but said it wouldn't fix the flaw in time for the challenge. Pwn2Own organizers later ruled that Firefox vulnerability off limit.

See also: Three-time Pwn2Own winner knocks hacking contest rules


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

Tomorrow's World today (or next year)

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite