Just three weeks after a well-known researcher defeated the security on a MacBook Pro
running Snow Leopard, Apple has released a patch for the vulnerability that allowed the exploit. Security Update 2010-003
, released today, fixes a security hole in Mac OS X Server 10.5, Mac OS X 10.5, Mac OS X 10.6 and Mac OS X Server 10.6 that would allow someone to run any code they want on the computer just by getting a user to load a file that has a 'maliciously crafted font.'
In the support document accompanying the release, Apple gave proper credit
for the discovery of the bug to security analyst Charlie Miller, who pulled a "three-peat" at the Pwn2Own competition this year after winning in 2008 and 2009. Last year, it took Miller all of ten seconds to defeat a MacBook Air's security: he walked away with the laptop and $10,000 US for his efforts. Apple finally rolled out a fix to the bug 55 days later; this year's vulnerability was patched in 21 days. Competition rules require the contestants to keep their exploits secret until they are patched; the information becomes the property of the sponsor, Tipping Point, which shares the vulnerability to the relevant company.
According to the support document, the security hole was in Apple Type Services, a native font renderer that's used in Preview as well as in the PDF viewer of the Safari web browser. "Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution," the support document reads. "An unchecked index issue exists in Apple Type Services' handling of embedded fonts."
Miller also made use of ATS bugs last year, though he wasn't required to reveal details of any exploits other than the one he used to pwn the MacBook. Similarly, this year he discovered many other bugs through "dumb fuzzing:" a brute-force method that simply feeds random data to an application to see what it will do. Miller did not hide his disdain for Apple's software engineers' failure to use this automated testing method to find bugs in their own code. Rather than tell them all the holes he found for them, Miller said after the competition
, he taught Apple and other companies "how to find these bugs, and do what I did. That might get them to do more fuzzing."
Security Update 2010-003 can be downloaded and installed via Software Update, or from Apple Downloads