Apple today shipped a patch to fix the drive-by download vulnerability used by Charlie Miller (left) to hack a fully patched MacBook via the Safari browser.
Miller’s hack was part of this year’s CanSecWest Pwn2Own contest where Apple’s flagship browser fell for the third straight year. In the attack, Miller set up a special Web page with the exploit. Using Safari, a conference organizer surfed to the Web page and watched and Miller took control of the machine.
However, according to Apple’s advisory accompanying the patch, the actual vulnerability was not in the Safari browser but in the way ATS (Apple Type Services) handles certain fonts.
Here’s the description:
CVE-2010-1120: An unchecked index issue exists in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved index.
The issue affects Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.3 and Mac OS X Server v10.6.3).
Apple has still not patched the vulnerability used at Pwn2Own to hack into the iPhone and hijack the SMS database.
Mozilla was the first to ship a patch for a flaw exploited at the contest. Microsoft’s fix for a critical IE 8 flaw used during the challenge is still outstanding.