Apple Inc. issued a security update Tuesday to address a total of 27 vulnerabilities in its Safari Web browser,...
including one highlighted at this year's Pwn2Own competition.
The Safari security update pushes the latest versions of the browser to 6.1.3 for Mac users running OSX 10.7 and 10.8, and 7.0.3 for OSX 10.9.
The most notable vulnerability addressed in the update is CVE-2014-1303, a heap-based buffer overflow that can be remotely exploited and could lead to a sandbox bypass. The vulnerability is rated a 10.0 on the Common Vulnerability Scoring System, the highest available. The flaw was first demonstrated by Liang Chen of the China-based Keen Team at the 2014 Pwn2Own competition in Vancouver, resulting in a $65,000 reward.
Apple credited another vulnerability, CVE-2014-1713, to controversial French firm VUPEN security, known for selling zero-day exploits to government agencies, and HP's Zero Day Initiative, the force behind the annual Pwn2Own event. VUPEN had been scheduled to demonstrate a Safari exploit at this year's show, but backed out after the Keen Team took down Apple's browser.
Apple does not provide detailed information on the vulnerabilities it fixes, apart from CVE identifiers, making it unclear whether this flaw addresses the same shelved Pwn2Own exploit.
Use-after-free vulnerabilities, buffer overflows and other memory corruption issues made up a bulk of the flaws patched as part of this update, with the Cupertino, Calif.-based tech giant warning Safari users that they could be exploited when "visiting a maliciously crafted website" without downloading the updated versions of the browser.
Apple did make special note of a separate flaw, discovered by Ian Beer of Google's Project Zero, which could enable an attacker to read arbitrary files despite Safari's sandbox capabilities. All told, the Google security team discovered more than half of the vulnerabilities fixed in this update, as both Google's Chrome browser and Safari are powered by the WebKit framework.