Apple patches Pwn2Own flaw used to hack Safari
![ryan-naraine.jpg](https://www.zdnet.com/a/img/resize/58705b1ab848cb0209d7d7d504dffaab176d93aa/2014/07/22/4b4e2273-1175-11e4-9732-00505685119a/ryan-naraine.jpg?auto=webp&fit=crop&frame=1&height=192&width=192)
Miller's hack was part of this year's CanSecWest Pwn2Own contest where Apple's flagship browser fell for the third straight year. In the attack, Miller set up a special Web page with the exploit. Using Safari, a conference organizer surfed to the Web page and watched and Miller took control of the machine.
[ SEE: Charlie Miller hacks Safari again ]
However, according to Apple's advisory accompanying the patch, the actual vulnerability was not in the Safari browser but in the way ATS (Apple Type Services) handles certain fonts.CVE-2010-1120: An unchecked index issue exists in Apple Type Services' handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved index.
The issue affects Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.3 and Mac OS X Server v10.6.3).
Apple has still not patched the vulnerability used at Pwn2Own to hack into the iPhone and hijack the SMS database.
Mozilla was the first to ship a patch for a flaw exploited at the contest. Microsoft's fix for a critical IE 8 flaw used during the challenge is still outstanding.
ALSO SEE: