Apple earlier today updated its Safari browser to version 5.0.4, plugging up 62 security holes in the process. Even so, it took French security firm Vupen just 5 seconds to exploit the browser and take home a $15,000 bounty from TippingPoint for doing so. This marks the first time in four years that Charlie Miller, an analyst with Security Evaluators, wasn't first to crack the Safari browser in the annual Pwn2Own contest. And what of Microsoft's IE8 browser? It didn't fare much better.
First, let's be clear that the exploit wasn't written in 5 seconds. The winning exploit was written ahead of time for the previous version of Safari -- version 5.0.3 -- on the MacBook Air. In order to win the $15,000 prize, the exploit had to still work in version 5.0.4, which it did, ComputerWorld reports.
As for Internet Explorer 8, which was not updated immediately before the contest began, it also fell at the hands of its first attacker. Stephen Fewer, founder of Harmony Security, bypassed IE8's Protected Mode, which is a sort of sandbox mode intended to isolate the browser from the OS in case a website installs malicious software.