Apple launches Safari 5, patches record 48 bugs

Fixes flaw in browser that hacker team exploited at Pwn2Own to win $15,000

Apple on Monday shipped the latest version of its Safari browser, patching a record 48 vulnerabilities, including one that a pair of hackers exploited in March to win a $US15,000 prize.

The new browser debuted the same day as Apple unveiled the iPhone 4 at its annual Worldwide Developers Conference.

Safari 5, the first major upgrade to the Mac OS X and Windows browser in a year, fixed four dozen flaws, most of them in WebKit, the open-source engine that powers not only Apple's browser but also Google's Chrome. Apple also updated the previous edition to version 4.1 on Monday.

Among the 48 vulnerabilities was the one used by the two-man team of Vincenzo Iozzo and Ralf-Philipp Weinmann to hack an Apple iPhone 3GS in five minutes at the Pwn2Own contest last March, said Aaron Portnoy, security research team lead with HP TippingPoint. TippingPoint's 's Zero Day Initiative (ZDI) bug-bounty program paid the two researcher $15,000 -- a record amount for the four-year-old Pwn2Own -- for the Safari bug and exploit they used to break into the iPhone.

The Iozzo/Weinmann vulnerability was in WebKit, which is also the foundation of the stripped-down Safari browser Apple builds into the iPhone, iPod Touch and iPad.

Although Apple patched the bug in Safari 5 and 4.1 for Mac and Windows this week, it has not yet addressed the issue in its mobile devices. Presumably, Apple will do that with iOS4, the operating system upgrade slated to launch for the iPhone and iPod Touch June 21, and later this year for the iPad.

Portnoy said he was sure Apple would patch the vulnerability in the iPhone -- after all, that's where Iozzo and Weinmann exploited it for their Pwn2Own victory -- but admitted he had no idea when it would do so. "Apple is pretty secretive," said Portnoy.

Apple also dealt with a Windows-only bug that Polish researcher Krystian Kloskowski revealed a month ago. That vulnerability could be exploited by attackers simply by tricking users into visiting a malicious Web site.

Apple's advisory labeled 27 of the 48 vulnerabilities, or 56% of the total, with the company's "arbitrary code execution" phrase, meaning the flaws are critical and could be exploited to compromise a Mac or a Windows machine. Unlike other vendors, notably Microsoft, Apple does not rank the bugs it discloses. Seven of the bugs were cross-site scripting vulnerabilities that could be used by identity thieves.

Because Google's Chrome also relies on WebKit -- and like Safari is available on both the Mac and Windows -- it shouldn't come as a surprise that a number of the bugs fixed in Safari 5 and 4.1 were discovered by security engineers at Apple's rival. Google received credit for 25% of the vulnerabilities, double the percentage when Apple last patched Safari , in mid-March.

By comparison, Apple was credited with finding with only four flaws, or 8% of the total.

Safari is currently the world's No. 4 browser, accounting for a 4.8% share of the global browser usage market last month. The bulk of Safari usage is on the Mac; just 0.3 percentage point of Safari's total share came from the Windows version in May.

Safari 5 can be downloaded from Apple's site for Mac OS X 10.4 (Tiger), Mac OS X 10.5 (Leopard), Mac OS X 10.6 (Snow Leopard), Windows XP, Windows Vista and Windows 7. Mac OS X users will be notified of the new version automatically by the operating system's software update feature, while Windows users already running Safari will be alerted by the Apple Software Update tool.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about browsers in Computerworld's Browsers Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Applesafaripatches

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Essentials

Brother MFC-L3745CDW Colour Laser Multifunction

Learn more >

Mobile

Exec

Budget

Back To Business Guide

Click for more ›

Brand Post

Shining a light on creativity

MSI has long pushed the boundaries of invention with its ever-evolving range of laptops but it has now pulled off a world first with the new MSI Creative 17.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?