Apple has issued a security patch for its Safari Web browser, fixing the flaw that earned one security researcher US$10,000 at the CanSecWest security conference.
The flaw was exploited by Independent Security Evaluators Researcher Charlie Miller to gain access to a MacBook Air computer three weeks ago. It lies in the WebKit open-source HTML rendering engine used by Safari and several other Mac OS X programs.
The bug lay in the way WebKit would process certain specially crafted JavaScript commands. In order to exploit the flaw, Miller had to first make the contest organizers visit a special Web site that contained his malicious JavaScript code.
There was one other winner in the CanSecWest PWN 2 OWN contest, which invited hackers to try to break into Windows, Mac and Linux computers. Shane Macaulay, a researcher with the Security Objectives consultancy, hacked into a Vista machine using an Adobe Flash Player bug, which was patched last week.
WebKit is also part of Apple's Dashboard and Mail software. An Apple spokesman could not say whether users of those products were also at risk from this attack.
In an e-mail interview, Miller said anything that used an older version of WebKit would be vulnerable. This might include Linux browsers and mobile-phone browsers, he said.
A second WebKit flaw, patched Wednesday, could lead to a cross-site scripting attack, in which an attacker can do things such as steal the login credentials or log the keystrokes of a victim.
Both the Windows and Mac OS X versions of Safari are vulnerable to these WebKit flaws, Apple said in its security advisory.
The Safari 3.1.1 update also includes fixes for a pair of Safari-for-Windows vulnerabilities that could possibly be exploited by attackers to run unauthorized software on a victim's computer and to make a fake phishing Web page appear to have a legitimate Web address.
- Sponsored Resource:Are you ready for virtualization? Try the sever assessment tool.
- Sponsored Resource:Stay at home servers. Learn more about a home server for your family.
- Sponsored Resource:Get the communications, data, and security a business needs in one neat package. Learn more.
- Sponsored Resource:Learn more about ultra light notebooks from Asus and the best warranty in the industry.
- Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
- Sponsored Resource:Get the truth about remanufactured ink. Learn more from HP.
- Sponsored Resource:Six smart ways to grow small business IT
News For Your Business
- AT&T Objects to Sprint-Clearwire Deal
- OS X Virus Described
- FCC OKs Sirius Acquisition of XM
- Broadband Innovations, Part 4: The Doctor Isn't In but Can Still See You
- Gateway to Stop Selling PCs Through Web Site
Community Comments