Apple today shipped a patch to fix the drive-by download vulnerability used by Charlie Miller (left) to hack a fully patched MacBook via the Safari browser.
Miller's hack was part of this year's CanSecWest Pwn2Own contest where Apple's flagship browser fell for the third straight year. In the attack, Miller set up a special Web page with the exploit. Using Safari, a conference organizer surfed to the Web page and watched and Miller took control of the machine.
However, according to Apple's advisory accompanying the patch, the actual vulnerability was not in the Safari browser but in the way ATS (Apple Type Services) handles certain fonts.
Here's the description:
CVE-2010-1120: An unchecked index issue exists in Apple Type Services' handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved index.
The issue affects Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.3 and Mac OS X Server v10.6.3).