Remember the hacked MacBook Air at the CanSecWest security conference a few weeks ago? Apple has fixed the flaw that let Independent Security Evaluator researcher Charlie Miller gain unauthorized access to the machine as part of the Pwn 2 Own hacking contest.
Apple issued a security patch for its Safari Web browser, the vector that opened the door to Miller and his team of expert hackers. Miller won $10,000 for his feat, and now Apple has made sure that malicious attackers can’t repeat the performance and walk off with much more through scams.
The flaw was in the Webkit open-source HTML rending engine Safari and several other Mac OS X programs use. The problem was the way Webkit processed certain specially crafted JavaScript commands. Miller exploited the flaw by using the Safari browser to visit a Web site containing malicious code.
Apple’s Quick Turnaround
“It’s encouraging to see a quick turnaround time from Apple as they patched Charlie Miller’s exploit approximately three weeks after it was reported to them following the Pwn 2 Own contest at CanSecWest. Would it have been patched in three weeks had the contest not received such a high degree of media attention?” asked Michael Sutton, a security researcher at SafeChannel and former VeriSign iDefense director. “Probably not.”
Whether you agree or disagree with such contests, Sutton said, it’s difficult to argue that they don’t focus attention on software vulnerabilities in widely used software and put pressure on vendors to patch quickly. Sutton hopes such a quick patch cycle becomes the rule rather than the exception.
Safari for Windows Also Fixed
Beyond Webkit, the Safari 3.1.1 for Windows XP or Vista had a timing issue that allows a Web page to change the contents of the address bar without loading the contents of the page.
This could be used to spoof a…
0 Responses to “Apple, Mozilla Plug Critical JavaScript Browser Flaws”
Leave a Reply