Here's a little ditty that was almost lost in the sheer volume of this week's Mac OS X security update: Apple has finally patched the two vulnerabilities used to win this year's CanSecWest Pwn2Own hacking contest.
The two flaws were used by Charlie Miller and a German researcher known only as "Nils" to launch successful drive-by download attacks against Apple's Safari browser.
However, according to Apple's release notes, the bug exploited by Miller actually affected ATS (Apple Type Services).
- ATS (CVE-2009-0154): A heap buffer overflow exists in Apple Type Services' handling of Compact Font Format (CFF) fonts. Viewing or downloading a document containing a maliciously crafted embedded CFF font may lead to arbitrary code execution. This update addresses the issue through improved bounds checking.
The vulnerability used during Nils' exploit affected WebKit:
- CVE-2009-0945: A memory corruption issue exists in WebKit's handling of SVGList objects. Visiting a maliciously crafted website may lead to arbitrary code execution. This update addresses the issue through improved bounds checking.
Mozilla was the first to issue a fix for its Pwn2Own embarrassment. Microsoft is yet to fix the vulnerability that was exploited via Internet Explorer.