Why is it that Apple’s otherwise excellent Safari browser seems to be more prone to vulnerabilities than rival offerings from Microsoft, Google and Mozilla? Ever since security whiz Charlie Miller in 2008 broke into the MacBook Air in two minutes through Safari, the browser has been the subject of intense criticism for its various security weaknesses. Well, Safari just got pwned again at yesterday’s HP TippingPoint-sponsored hacking challenge at the CanSexWest security conference in Vancouver, British Columbia.
This time, the bragging rights belong to the French security firm Vupen which won a cool $15,000 and a MacBook Air for beating its perks in pwning Apple’s browser. It took the team just a few seconds to exploit an unpatched Safari vulnerability. “We pwned Apple Safari on Mac OS X (x64) at pwn2own in 5 seconds,” they tweeted
Just a few minutes before the contest, Apple released Safari 5.0.4 alongside iOS 4.3. Vupen said
the release fixed 62 vulnerabilities, breaking “some exploits but not all.”
In addition to Safari, Microsoft’s Internet Explorer 8 was also hacked pretty quickly. The contest rules required that browsers be frozen to certain version numbers – Safari 5.0.3, Chrome 9, Internet Explorer 8 and Firefox 3.6 – although that didn’t preclude researchers from trying to hack the latest browser releases. Here’s to hoping that Apple will get a Safari fix out soon.