Apple issued a security patch for its Safari Web browser, the vector that opened the door to Miller and his team of expert hackers. Miller won $10,000 for his feat, and now Apple has made sure that malicious attackers can't repeat the performance and walk off with much more through scams.
The flaw was in the Webkit open-source HTML rending engine Safari and several other Mac OS X programs use. The problem was the way Webkit processed certain specially crafted JavaScript commands. Miller exploited the flaw by using the Safari browser to visit a Web site containing malicious code.
Apple's Quick Turnaround
“It's encouraging to see a quick turnaround time from Apple as they patched Charlie Miller's exploit approximately three weeks after it was reported to them following the Pwn 2 Own contest at CanSecWest. Would it have been patched in three weeks had the contest not received such a high degree of media attention?” asked Michael Sutton, a security researcher at SafeChannel and former VeriSign iDefense director. “Probably not.”
Whether you agree or disagree with such contests, Sutton said, it's difficult to argue that they don't focus attention on software vulnerabilities in widely used software and put pressure on vendors to patch quickly. Sutton hopes such a quick patch cycle becomes the rule rather than the exception.
Safari for Windows Also Fixed
Beyond Webkit, the Safari 3.1.1 for Windows XP or Vista had a timing issue that allows a Web page to change the contents of the address bar without loading the contents of the page.
This could be used to spoof a legitimate site, Apple said, allowing user credentials or other information to be gathered. The fix addresses the issue by restoring the address-bar contents if a request for a new Web page is terminated. This issue does not affect Mac OS X systems.
Also in the Windows version of Safari, memory corruption was an issue in file downloading. By enticing a user to download a file with a maliciously crafted name, Apple said, an attacker could cause an unexpected application termination or arbitrary code execution. The fix addresses the issue through improved handling of file downloads. Again, this issue does not affect Mac OS X systems.
New Version of Mozilla
Meanwhile, Mozilla patched a single critical vulnerability in Firefox's JavaScript engine. The latest version of the open-source browser, 2.0.0.1.4, patches the bug for stability reasons, but Mozilla did not rule out that attackers could leverage crashes in JavaScript's garbage collector.
“We have no demonstration that this particular crash is exploitable, but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past,” the advisory said.
Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript is enabled for e-mail. This is not the default setting, and Mozilla strongly discourages users from running JavaScript in e-mail. Without further investigation, the organization said, Mozilla cannot rule out the possibility that an attacker might be able to exploit memory through some means other than JavaScript, such as large images.
Leave a Reply
You must be logged in to post a comment.