Safari and IE Hacked at Pwn2own
New zero-day flaw in IE emerges, as Apple issues massive Safari update.
How long does it take to hack an Apple Safari Web browser running on Mac OS X?
Yup. You read that right and it's not a typo. Researchers from VUPEN Security competing in the Pwn2Own hacking challenge were able to hack or 'pwn' Safari in only five seconds.
There is, however, a catch. A fully patched version of Mac OS X with Safari 5.0.3 was used at the Pwn2Own event.
"Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the pwn2own contest," VUPEN Security wrote in a tweet. "This breaks some exploits, but not all !!"
The Pwn2own event rewards security researchers with cash and prizes for hacking browsers and mobile platforms. HP TippingPoint, which sponsors the event, keeps the bugs under wraps and properly discloses them to the affected vendor.
Apple's Safari 5.0.4 update patches a long list of vulnerabilities including at least 54 security flaws in the WebKit rendering engine. Google's Chrome browser also uses WebKit and was recently updated for multiple WebKit related flaws. At least 22 of the WebKit flaws fixed in Safari 5.0.4 were credited to Google security researchers.
Apple's security advisory summarized the bulk of WebKit vulnerabilities as memory corruption issues.
"Multiple memory corruption issues existed in WebKit," Apple's advisory states. "Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution."
Memory corruption issues aren't the only WebKit related vulnerability that Safari 5.0.4 fixes. There is also an HTTP Basic Authentication credentials flaw that could have enabled an attacker to have their credentials redirected to another site without user authorization.
In addition, there is a WebKit related cache poisoning fix that Apple's own security research team discovered.
"A maliciously crafted website may be able to prevent other sites from requesting certain resources," Apple warned. "This issue is addressed through improved type checking."
Cross Site Scripting (XSS) is another area that the Safari 5.0.4 update addresses. The Web Inspector tool in Safari could have been leveraged by an attacker to launch an XSS attack.
While the WebKit fixes affect Safari users on both Mac OS X and on Windows, there are also a number of fixes that are just for Safari users on Windows. Safari's ImageIO is being updated for five issues affecting Windows users that could have enabled maliciously crafted images to crash a system.
IE 8 Pwned
Safari wasn't the only system that pwn2own security researcher exploited. Microsoft's IE 8 running on Windows 7 was also successfully exploited. Security researcher Stephen Fewer was able to successfully compromise IE including a Protected Mode bypass.
HP TippingPoint's Aaron Portnoy had told InternetNews.com earlier this week that he was aware of an attack that would be used to exploit IE 8. Portnoy is responsible for running the pwn2own event. Portnoy noted that in order to exploit IE 8's Protected Mode an attacker would have to exploit something at the Windows operating system level.
Unlike Apple, Mozilla and Google, Microsoft did not issue an update for its IE browser ahead of pw2own. Microsoft's March Patch Tuesday update this week only provided three updates, none of which were for IE.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.