Apple Safari Update Patches 16 Vulnerabilities Ahead of Hacking Contest
Apple has patched 16 vulnerabilities affecting its Safari Web browser as the annual Pwn2Own contest held at the CanSecWest security conference approaches.Apple issued patches for 16 vulnerabilities in Safari, including 12 bugs that could be used to execute code on a vulnerable machine and potentially take full control. According to Apple's advisory, nine of the 16 flaws rested in Webkit, Safari's open-source browser engine, and all but one of those can be exploited to execute arbitrary code on a victim's machine. Of the nine, seven deal with what Apple called "use-after-free" issues tied to Webkit's handling of incorrectly nested HTML tags, its parsing of XML documents and its handling of HTML elements and callbacks for those elements.
Four of the patches fix issues in the ImageIO component. The most serious of these are memory corruption and buffer overflow vulnerabilities attackers could exploit with malicious TIFF images to compromise users and execute arbitrary code. Both the other ImageIO patches deal with uninitialized memory access issues tied to the component's handling of BMP and TIFF images, respectively.