Posted on 03/04/2011 10:51:35 PM PST by Swordmaker
Apple will patch its Safari browser before the Pwn2Own hacking contest kicks off next week, security researchers hinted Thursday.
If accurate, Apple will join both Google and Mozilla, which earlier this week issued security updates for Chrome and Firefox as preparation for Pwn2Own.
On Wednesday, Apple patched a record 57 vulnerabilities in its iTunes music software; 50 of those bugs were attributed to WebKit, the open-source browser engine that Safari’s built on. iTunes relies on WebKit to render its online store component.
“Anti-pwn2own again: Apple fixed a record of 50 vuln[erabilities] in WebKit (iTunes), and is preparing the update for Safari/Mac OS X,” said French security firm Vupen in a message on its Twitter account.
Vupen’s mention of Pwn2Own refers to the annual hacking contest held at the CanSecWest security conference in Vancouver, British Columbia. This year's Pwn2Own runs March 9-11.
At Pwn2Own, security researchers will compete for $65,000 in prizes by trying to take down the most up-to-date editions of Safari 5, Google's Chrome 9, Microsoft's Internet Explorer 8 and Mozilla's Firefox 3.6.
It’s not unusual for Apple to patch WebKit flaws in one application before it rolls out those same fixes for another. In the past, however, it’s usually patched WebKit vulnerabilities in Safari before addressing them in iTunes.
Other clues to an upcoming Safari update came from HP TippingPoint—coincidentally the sponsor of Pwn2Own—which issued advisories on two WebKit bugs patched in iTunes Wednesday. The bugs were originally reported to TippingPoint’s Zero Day Initiative (ZDI) bug bounty program; ZDI passed the reports to Apple last October.
Both the advisories said that attackers could exploit the bugs to “execute arbitrary code on vulnerable installations of Apple ... WebKit” and that the vulnerabilities could be triggered using “drive-by” tactics that only require a victim to visit a malicious Web site.
Another hint that Safari will be patched soon came from the iTunes advisory posted by Apple on Wednesday. None of the 50 WebKit bugs listed in the advisory were accompanied by the usual terse Apple description; instead, Apple only noted the CVE (Common Vulnerabilities and Exposures) identifying number and the researcher(s) who first reported the flaw.
More than 30 of the 50 WebKit vulnerabilities were credited to Google researchers and developers. Google’s Chrome, like Safari, is built on the WebKit engine.
If Apple patches Safari, it will be the third browser to update this week.
Google patched 19 bugs in Chrome on Monday, and Mozilla followed that on Tuesday with an 11-patch update to Firefox .
Last year, only Apple and Google updated their browsers just before Pwn2Own. Mozilla acknowledged a critical vulnerability in Firefox less than a week before 2010’s contest, but said it wouldn’t fix the flaw in time for the challenge. Pwn2Own organizers later ruled that Firefox vulnerability off limit.
Assuming Apple updates Safari, of the four Pwn2Own-targeted browsers, only Internet Explorer (IE) will remain unpatched in the days leading up to the contest. Microsoft last issued fixes for IE flaws on Feb. 8 as part of its monthly Patch Tuesday.
Try this: You're really milking this. If you're going to be a disrupter at least do it correctly.
KNOCK IT OFF!! AND I MEAN YOU!!
I guess trolls are permissible now. Sorry if I brought disservice, but disruption for the sake of personal jollies was stated as being a wrong-headed POV. I was pointing it out, and most of my posts have been removed, but the troll stands proud and gloating. The deliberate use of demeaning words and ad hominems is a little hard to handle.
What am I getting wrong? He is a troll.
Sorry, you're ignorant of the facts. Apple didn't steal anything, FreeBSD is free, and OS-X came from NextStep and Mach. Read a little history of the thing before you accuse people of stealing.
If you're going to to troll, at least get your facts straight. Sheesh.
Heck, they're getting supported, and my light-hearted response (#13) gets pulled, wtfo. Time to sit back and let the tech threads degenerate again. I don't have the energy today to play footsie with this cr@p.
> Heck, they're getting supported, and my light-hearted response (#13) gets pulled, wtfo. Time to sit back and let the tech threads degenerate again. I don't have the energy today to play footsie with this cr@p.
Sorry, I guess that was a little nasty. I'm just very frustrated. JimRob made his position -- and thus the site policy -- very clear, and while he's dealing with much more serious problems (his leg), some people take advantage to push their own agenda. Seems disrespectful, to me.
Prayers up again, for Jim's rapid recovery and return.
THIS IS BOLD.
THIS IS CAPITALIZED.
That is FALSE... Apple OSX Is fully licensed and is a registered and trademarked, fully certified version of UNIX. no theft was involved. To claim that is a lie. It is one of only four so certified by the UNIX organization to use the UNIX trademarks.
Well said.
Touchy with the rubs. Pretend BSD base isn’t stolen from the freeware developers and warped into an Apple OS.
I don't have to pretend anything, almost. I know the facts.
You are an idiot if you think that the fully licensed, and registered version of FreeBSD UNIX that is at the core of OSX is stolen. Do you REALLY think that the organization that licenses UNIX would grant Apple has made a lot of developments and advancements in FreeBSD and put it back out into the FOS software environment. Apple outright owns the rights to CUPS, WEBKIT, and quite a few other components of UNIX, and has licensed them back to others to use in the open software community including the LINUX variants. Even Android uses a lot of Apple's open source software that's been licensed openly like WEBKIT.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.