For security researchers, the annual Pwn2own contest is as much about shoring up popular Web browsers as it is about bragging rights.
One researcher, Charlie Miller, has a consistent track record of pinpointing vulnerabilities in Apple’s software, and he did not disappoint this year.
But the contest’s rules dictate that the researchers turn their findings over to the companies involved, rather than make them public. Apple has now patched the vulnerability that Miller exposed in its Safari browser running on the Snow Leopard OS, offering a window into the nature of the flaw.
eSecurity Planet has the story on Apple’s patch of the Safari flaw.
Year after year, security researcher Charlie Miller is able to find vulnerabilities in Apple’s software. But it’s usually not until Apple has issued a patch that the public gets clued into how Miller was able to find the exploit.
Miller demonstrated his most recent Apple discovery at the 2010 CanSecWest security conference during the Pwn2own hacking competition, in which security researchers probe popular Web browsers for vulnerabilities. As per the contest rules, full details on the flaw were not immediately made public. Instead, details were handed over to Apple so the company could issue a fix. That fix is now available, providing clues as to the exact nature of the flaw.
At Pwn2own, Miller found the vulnerability in Apple’s Safari browser running on Mac OS X 10.6, a.k.a., “Snow Leopard.” The vulnerable component turns out to be in Apple’s Type Services (ATS) function.