Published on April 3rd, 2014 📆 | 6153 Views ⚑0
Apple patches Safari’s Pwn2Own vulnerability, two-dozen other critical bugs
These Security updates addresses multiple vulnerabilities in its Safari web browser, which has always been the standard browser for Mac users.
This times not five or ten, in fact about two dozen. Apple issued a security update to patch a total of 27 vulnerabilities in Safari web browser, including the one which was highlighted at Pwn2Own 2014 hacking competition.
The available updates replace the browser running OSX 10.7 and 10.8 with the latest versions of browser 6.1.3, and OSX 10.9 with 7.0.3.
Among the 27 vulnerabilities, the most remarkable vulnerability addressed in the update is CVE-2014-1303, a heap-based buffer overflow that can be remotely exploited and could lead to bypass a sandbox protection mechanism via unspecified vector.
This vulnerability is the one used by Liang Chen of "Keen Team," a Shanghai-based group of security researchers who hacked Safari on the second day of Pwn2Own hacking competition this year held in March 12-13 at the CanSecWest security conference in Vancouver, resulting in a $65,000 reward.
The vulnerabilities involved memory corruption errors in the WebKit, which if exploited by a malicious or specially crafted website, could allow a remote attacker to execute arbitrary code on the victim's machine or completely crashing of the software as a result of DoS condition. This could also be a great starting step for injecting malware onto the victims’ computer.
Another notable vulnerability is CVE-2014-1713, reported by the French security firm VUPEN, known for selling zero-day exploits, typically to law enforcement and government intelligence agencies, and HP's Zero Day Initiative.
VUPEN also exploited several targets in this year’s Pwn2Own competition, including Chrome, Adobe Flash and Adobe Reader, and Microsoft's Internet Explorer, taking home $400,000 of the total contest payout for the IE 11 zero-day.
More than half of the bugs were fixed by the Google Chrome Security team in this latest Apple updates, as both Google's Chrome browser and Safari are powered by the WebKit framework.
Apple also specially mentioned a different flaw discovered by Ian Beer of Google's Project Zero, which could enable an attacker running arbitrary code in the WebProcess to read arbitrary files despite Safari's sandbox restrictions.
Last month, Apple issued iOS 7.1 update for iPhones, iPads and iPod Touches to patch several vulnerabilities, including the one in the mobile Safari.