14 DAY TRIAL // Apple released a massive security update for Safari minutes before the Pwn2Own 2011 contest kicked off, but it didn't stop hackers from compromising it.
The new Safari 5.0.4 was released for Windows, Mac OS X 10.6 and Mac OS X 10.5, to address 62 vulnerabilities in different components.
Of the patched flaws 56 could have resulted in arbitrary code execution and most of them were exploitable by navigating to a maliciously crafted web page.
Two arbitrary code execution vulnerabilities were addressed in libpng by updating the embedded third-party library to version 1.4.3.
Three other similarly critical flaws related to JPEG and TIFF format parsing were patched in the ImageIO component, while two additional bugs were identified and fixed in libxml.
The rest of the bugs were located in WebKit and were reported upstream by developers and researchers involved in the Chromium project, which also uses the rendering engine.
The credits list is littered with the names of security engineers from Google and other regular Chrome security contributors like Sergey Glazunov, kuzzcc, wushi and Aki Helin.
Aside from the numerous arbitrary code execution flaws, six other vulnerabilities were patched in WebKit. These could have resulted in HTTP authentication credential exposure, cross-site style declaration, resource denial, information disclosure and cross-site scripting.
Safari 5.0.4 landed minutes before the start of 2011 edition of the Pwn2Own hacking contest, which puts vulnerability researchers against browsers.
Following the release, French vulnerability research company VUPEN Security announced that the patches break a few exploits, but not all. This was later demonstrated when researchers managed to compromise the browser in five seconds.
Safari 5.0.4 for Mac can be downloaded from here.
Safari 5.0.4 for Windows can be downloaded from here.