Apple patches $10,000 prize-winning bug

April 16, 2008 —

Apple has issued a security
patch for its Safari
Web browser, fixing the flaw that earned
one security researcher US$10,000 at the CanSecWest security conference.

The flaw was exploited by Independent Security Evaluators Researcher Charlie
Miller to gain access to a MacBook Air computer three weeks ago. It lies in
the WebKit open-source HTML
rendering engine used by Safari and several other Mac OS X programs.

The bug lay in the way WebKit would process certain specially crafted JavaScript
commands. In order to exploit the flaw, Miller had to first make the contest
organizers visit a special Web site that contained his malicious JavaScript
code.

There was one other winner in the CanSecWest PWN
2 OWN contest, which invited hackers to try to break into Windows, Mac and
Linux computers. Shane Macaulay, a researcher with the Security Objectives consultancy,
hacked into a Vista machine using an Adobe Flash Player bug, which was patched
last week.

WebKit is also part of Apple's Dashboard and Mail software. An Apple spokesman
could not say whether users of those products were also at risk from this attack.

In an e-mail interview, Miller said anything that used an older version of
WebKit would be vulnerable. This might include Linux browsers and mobile-phone
browsers, he said.

A second WebKit flaw, patched Wednesday, could lead to a cross-site scripting
attack, in which an attacker can do things such as steal the login credentials
or log the keystrokes of a victim.

Both the Windows and Mac OS X versions of Safari are vulnerable to these WebKit
flaws, Apple said in its security
advisory.

The Safari 3.1.1 update also includes fixes for a pair of Safari-for-Windows
vulnerabilities that could possibly be exploited by attackers to run unauthorized
software on a victim's computer and to make a fake phishing Web page appear
to have a legitimate Web address.

IDG News Service