Apple patches Safari's Pwn2Own vulnerability, two-dozen other critical bugs

Cupertino again leaves Snow Leopard users out in the cold by omitting fixes for Safari 5.1.10

Apple on Tuesday patched the security vulnerability in Safari that was successfully exploited at last month's Pwn2Own hacking contest, where a team cracked the browser to win $65,000.

The Cupertino, Calif. company seeded updates for both Safari 6 and Safari 7 yesterday, promoting the former to version 6.1.3 and the latter to 7.0.3.

Safari 6.x runs on OS X 10.7, aka Lion, and OS X 10.8, better known as Mountain Lion. Safari 7.x runs on OS X 10.9, or Mavericks.

Apple patched 27 vulnerabilities in Safari 6 and Safari 7, all in WebKit, the open-source browser engine that powers Safari, and all but one considered critical in that they could allow, the company said, "arbitrary code execution," Apple's terminology for the most serious bugs.

Among the 27 was the one used by "Keen Team," a Shanghai-based group of security researchers who hacked Safari on the second day of this year's Pwn2Own, held March 12-13 at the CanSecWest security conference in Vancouver, British Columbia.

Of the others, more than half were reported by the Google Chrome security team, which still works on WebKit, even though Google's browser has switched to a different fork, dubbed "Blink," for its foundation.

Another was attributed to French vulnerability seller Vupen, which also sent a team to Pwn2Own. Vupen hacked several targets, including Chrome, Adobe Reader and Adobe Flash, and Microsoft's Internet Explorer, taking home $400,000 of the total contest payout of $850,000. The bug patched in WebKit -- and thus in Safari -- was one of several used by Vupen to exploit Chrome.

Tuesday's Safari update was the second since December that omitted patches for Safari 5.1.10, Apple's most-current browser for OS X 10.6 Snow Leopard, the 2009 operating system that Apple has stopped supporting with security fixes.

Apple delivered the final security update for Snow Leopard in September 2013.

Last month, Apple made it even plainer that it had stopped supporting Snow Leopard, patching 33 vulnerabilities in Lion, Mountain Lion and Mavericks, but fixing none of the same flaws in Snow Leopard. Many OS X 10.6 users refused to believe that Apple had stopped fixing the operating system, and in comments appended to a February story in Computerworld argued that the flaws didn't exist in Snow Leopard and because Apple continues to sell Snow Leopard on its e-store it must still be supporting the five-year-old OS.

In fact, many of the vulnerabilities patched last month in other editions do exist in Snow Leopard: Apple fixed numerous bugs in the core components of those versions -- including Apple's own QuickTime and open-source bits like Apache and PHP -- that are part of every Mac operating system, Snow Leopard included.

Apple does sell Snow Leopard from its online store -- the price is $19.99 -- but as a interim step for customers running even older editions who can, and want to, upgrade to something newer, such as Lion or Mountain Lion. Snow Leopard is offered by Apple because it's the oldest edition that provides access to the Mac App Store, the sole distribution outlet for all later OS X upgrades, including Lion, Mountain Lion and Mavericks, which are available only as downloads.

Also part of Tuesday's update for Safari 7 were several non-security improvements and enhancements, including a new preference setting that lets users turn off website notifications and a fix for a glitch where the browser loaded a page or generated search results before the user pressed the return key.

Safari 7.0.3 and 6.1.3 can be obtained by selecting "Software Update..." from the Apple menu, or by opening the Mac App Store application and clicking the Update icon at the top right.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleVupenGoogleMicrosoftsecurityMac OS XMalware and Vulnerabilities

More about Adobe SystemsApacheAppleGoogleMacsMicrosoftTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place