Apple patches $10,000 prize-winning bug

Apple has patched the flaw used by researcher Charlie Miller to win $10,000 in a recent Mac hacking contest.

Apple has issued a security patch for its Safari Web browser, fixing the flaw that earned one security researcher US$10,000 at the CanSecWest security conference.

The flaw was exploited by Independent Security Evaluators Researcher Charlie Miller to gain access to a MacBook Air computer three weeks ago. It lies in the WebKit open-source HTML rendering engine used by Safari and several other Mac OS X programs.

The bug lay in the way WebKit would process certain specially crafted JavaScript commands. In order to exploit the flaw, Miller had to first make the contest organisers visit a special Web site that contained his malicious JavaScript code.

There was one other winner in the CanSecWest PWN 2 OWN contest, which invited hackers to try to break into Windows, Mac and Linux computers. Shane Macaulay, a researcher with the Security Objectives consultancy, hacked into a Vista machine using an Adobe Flash Player bug, which was patched last week.

WebKit is also part of Apple's Dashboard and Mail software. An Apple spokesman could not say whether users of those products were also at risk from this attack.

In an e-mail interview, Miller said anything that used an older version of WebKit would be vulnerable. This might include Linux browsers and mobile-phone browsers, he said.

A second WebKit flaw, patched Wednesday, could lead to a cross-site scripting attack, in which an attacker can do things such as steal the login credentials or log the keystrokes of a victim.

Both the Windows and Mac OS X versions of Safari are vulnerable to these WebKit flaws, Apple said in its security advisory.

The Safari 3.1.1 update also includes fixes for a pair of Safari-for-Windows vulnerabilities that could possibly be exploited by attackers to run unauthorised software on a victim's computer and to make a phishing Web page appear to have a legitimate Web address.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?