Apple has finally patched and revealed the details of the exploit that Charlie Miller used at Pwn2Own 2010 to gain access to a Macbook running Snow Leopard. Users can download Security Update 2010-003 through Software Update or through Apple Support Downloads. The details of the patch are as follows:
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.3, Mac OS X Server v10.6.3
Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.
Description: An unchecked index issue exists in Apple Type Services' handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved index checking. Credit to Charlie Miller working with TippingPoint's Zero Day Initiative for reporting this issue.
In addition to the security update, Apple has also released a handful of updates this week for various Mac hardware and software:
27-inch iMac EFI FW Update 1.0 - The update is recommended for all quad-core Intel Core i5 and Core i7 processors 27-inch iMacs.
27-inch iMac SMC Firmware Update 1.0 - This update fixes Target Display Mode compatibility issues on 27-inch iMac computers.
MacBook Pro Software Update 1.3 - This update is recommended for all 15-inch and 17-inch MacBook Pro mid 2010 models and contains improvements for graphics stability for high-performance video and gaming applications as well as various bug fixes.
MobileMe Backup v3.2 - Backup 3.2 is recommended for all users of Backup 3. This update improves the reliability of backup restore and uses space more efficiently on your iDisk or local storage (e.g. external hard drive or DVD).
Mac OS X v10.6.3 v1.1 Update (Combo) - The 10.6.3 v1.1 Update is recommended for all users running Mac OS X Snow Leopard and includes general operating system fixes that enhance the stability, compatibility, and security of your Mac.
Mac OS X Server 10.6.3 v1.1 Update (Combo) - The 10.6.3 v1.1 update is recommended for all servers currently running Snow Leopard Server version 10.6 and includes general operating system fixes that enhance the stability, compatibility and security of your server.
Server Admin Tools 10.6.3 - The Server Admin Tools update is recommended for remote administration of Snow Leopard Server.
Note: The 10.6.3 v1.1 Update is only for users that updated directly from a base 10.6 system to 10.6.3 with a combo update. Users who updated to 10.6.3 from 10.6.1 or 10.6.2 are not required to install the update.
Comments (39)
ReplyOh goody.
Did you read this part:
And I thought Apple products are secure and unbreakable like Steve & Co. always boasted in the "I'm a Mac" ads.
Titanic come to mind?
Oh, typical comment here... which has been answered gazillions of times. Just google your sentence or search on Neowin, you'll get your answer.
Oh, typical comment here... which has been answered gazillions of times. Just google your sentence or search on Neowin, you'll get your answer.
Nontheless when you pretty much tout yourself as "perfect" (especially compared to the competition, and when you FUD the competition) you leave yourself wide open to justifiable criticism.
Nontheless when you pretty much tout yourself as "perfect" (especially compared to the competition, and when you FUD the competition) you leave yourself wide open to justifiable criticism.
At the time that was the truth. Typical Mac hater comment!
How many times to this sentence need to be repeated on Neowin?
It's not even true. Apple has never said they are invulnerable to security exploits.
How many times to this sentence need to be repeated on Neowin?
It's not even true. Apple has never said they are invulnerable to security exploits.
Don't feel the troll; it is yet another idiot who can't afford a Mac so he slams it to make himself better about his Windows machine. You don't see my trolling Windows threads - why? because I couldn't give a crap about whether Microsoft provides updates other than to say it is great that Microsoft has released an update for the two machines own by my parents which I update for them.
Oops
You are a sad, sad person.
How many times to this sentence need to be repeated on Neowin?
It's not even true. Apple has never said they are invulnerable to security exploits.
http://movies.apple.com/media/...uit-us-20090419_480x272.mov
http://movies.apple.com/movies...ac_ads1/viruses_480x376.mov
http://movies.apple.com/movies...etamac/trustmac_480x376.mov
Titanic come to mind?
which coincidentally happened on this date back in 1912...
This is marketing guys. Apple really DOES put a lot of emphasis on the quality, so their marketing HAS to show clearly what their goals are.
I'm becoming an industrial engineer and I can tell you that no matter how much work you put in the quality, there's ALWAYS problems. No company is invulnerable. And no matter how many people you put in the department, it just becomes more than a mess to manage.
After all, we're humans, it's really hard to predict what can happen with code, and no matter how awesome a programmer can be, there are some things he will miss. I know 2 programmers like these and I can tell you that they STILL do mistakes sometimes. Saying Apple is invulnerable would be like saying their employees are perfect, but they're humans, so not perfect at all.
They never classified them as invulnerable, but they do say that their products and employees are top notch. Everybody with a company with these anchored values and focus on quality would use the same marketing lines by the way.
Comments like these aren't going to stop until Stevie stops creating a false sense of security among his customers. No code is perfect, no computer is immune to any form of attack. But try and tell that to most Mac people and they'll rip your face off, even in the face of news articles such as this one. It's kind of sad but these people take Stevie's word as Gospel.
Titanic come to mind?
The largest ship ever built? No, can't say that I can relate it to a product with about 5% marketshare
The largest ship ever built? No, can't say that I can relate it to a product with about 5% marketshare
Are you intentionally missing the point?
He was referring to the fact that the Titanic was called "unsinkable," yet it sank.
Apple paints the picture that OSX users don't have to worry about viruses, yet that isn't the truth either.
If you have something against Apple's products or business practices, please leave it to stories that actually FOCUS on Apple's products or business practices.
Do you see PlayStation fans derailing Windows support threads because they don't like Xbox? Or Photoshop being derailed because Adobe Reader is bloated?
And who the **** are you trying to prove something to? Mac users? We already KNOW Macs aren't perfect, otherwise the post itself would not exist.
Honestly, from the Mac side it sounds like you are just trying to cull some weird, suppressed Mac jealousy by re-affirming to YOURSELVES how much Macs "suck".
People are just making fun of the "perfect" statement as opposed to Apple product. But hey, it remains fun to them when people gets ****ed off when they make it.
People are just making fun of the "perfect" statement as opposed to Apple product. But hey, it remains fun to them when people gets ****ed off when they make it.
yes but these jokes are now a little tired, it's a but like everytime a windows post is added and a few people make a reference to bsod. Funny years ago but now rather stale.
Because this community is consumed by that kind and ignorant Wintel fanboys. It *is* retarted, most people here simply has to know it, but nothing is ever done about it. So it keeps being retarded. Visit Reddit or some other place where people have more brains and can actually coexist. Yes, that is the sad truth, and why I'll never be a news contributor. Imagine how tiring it is for them, trying to cover Apple stories and make this website encompass more platforms, just to have trolls write in the comment section, claiming things Steve Jobs have never done either in public or in commercials. Every. Single. Time. Jesus christ, the writers here have a godlike patience.
Because this community is consumed by that kind and ignorant Wintel fanboys. It *is* retarted, most people here simply has to know it, but nothing is ever done about it. So it keeps being retarded. Visit Reddit or some other place where people have more brains and can actually coexist. Yes, that is the sad truth, and why I'll never be a news contributor. Imagine how tiring it is for them, trying to cover Apple stories and make this website encompass more platforms, just to have trolls write in the comment section, claiming things Steve Jobs have never done either in public or in commercials. Every. Single. Time. Jesus christ, the writers here have a godlike patience.
Oh wow, defensive much? I love how you call people ignorant "Wintel" fanboys when 1) all macs use intel hardware now, 2) as tired and old as you cry about these comments being I keep managing to find Apple fanboys posting the same repeating lame jokes about MS for years.
But I suppose if we keep poking fun at MS or someone else it's fine, but if it's Apple, oh no! Steve NEVER said that! Get a grip. The I'm a Mac ads indirectly state that Macs never have problems like PC's do, and are thus somehow perfect. Do things always have to be spelt out? Can't you read between the lines as they say?
because its obviously working.
Also it is related to the story.
Because this community is consumed by that kind and ignorant Wintel fanboys. It *is* retarted, most people here simply has to know it, but nothing is ever done about it. So it keeps being retarded. Visit Reddit or some other place where people have more brains and can actually coexist. Yes, that is the sad truth, and why I'll never be a news contributor. Imagine how tiring it is for them, trying to cover Apple stories and make this website encompass more platforms, just to have trolls write in the comment section, claiming things Steve Jobs have never done either in public or in commercials. Every. Single. Time. Jesus christ, the writers here have a godlike patience.
if you're going to call people retarded, at least spell it right. but those "retarts" are just trolls anyways, unlike you oh mighty mac fans, upholders of glory, seekers of truth!
For the same reason that Mac lovers are relentless in their idea that their computers are perfect, invincible, immune to any sort of flaw. That is just as tiring to hear so don't act like the "retarded" comments are one-sided. There are at least as many pepole on the other side of the debate with comments just as bad.
For the same reason that Mac lovers are relentless in their idea that their computers are perfect, invincible, immune to any sort of flaw.
You are so full of **** that your eyes are brown. The only people making the claim that Macs are supposedly "perfect" are Wintel trolls who like putting words in the mouths of Mac users (or even Apple themselves). Prove me wrong, or lump yourself in with those trolls.
You are so full of **** that your eyes are brown. The only people making the claim that Macs are supposedly "perfect" are Wintel trolls who like putting words in the mouths of Mac users (or even Apple themselves). Prove me wrong, or lump yourself in with those trolls.
And how exactly should we do so? Talk about the relentless advertising campaign which chose to insult Windows 7 before it even came out? Or perhaps what happens when a Windows exploit is uncovered and the comments are full of nothing but "Perpetuating the Windows stereotype, aren't we?"?
I love how it's totally ok for any Apple user to poke fun of Windows or the Microsoft Ecosystem (as if it's their job to do so) but the moment something like this happens and Windows users seize the chance to return the favor, it's apperently such heresy that we should all be burned at the stake.
Oh, and nice use of the pretend word "Wintel". Cute.
Yeah, let us some have some us Windows users with this fix to the 'number one customer satisfaction' product! yay!
I wouldn't stumble in to that alley. Crack is also the 'number one customer satisfaction' product amongst crack addicts.
Does this make any sense to anyone?
Does this make any sense to anyone?
Not I. But I really never come expecting much sense out of the comments from these articles. I'm really not sure where this one is going at all, though.
The 10.6.3 update is a huge mess. I don't even trust them anymore. I will wait to see how much this latest update screws up before I even consider it.
What problems are you having? Haven't noticed anything crazy here since updating.
With the speed increases, I feel like this simple point release has bestowed me with a new computer. I've had nothing but a great experience with this update. What issues have you had? Also, did you upgrade fro 10.6.0 or 10.6.1 to the latest (skipping 10.6.2)?
What problems are you having? Haven't noticed anything crazy here since updating.
My iMac crashes repeatedly with the 10.6.3 update.
Look at the Apple Forums and see all of the issues with the update... http://discussions.apple.com/s...jspa?search=Go&q=10.6.3
My iMac crashes repeatedly with the 10.6.3 update.
Look at the Apple Forums and see all of the issues with the update... http://discussions.apple.com/s...jspa?search=Go&q=10.6.3
Did you notice the v1.1 for the 10.6.3 update that was released along with this security update?
Look at the Apple Forums and see all of the issues with the update... http://discussions.apple.com/s...jspa?search=Go&q=10.6.3
Ah ok. MacBook here and haven't had any problems.
Wow, it only took Apple a week or two this time to patch something. Come on, lets all give Apple credit for doing their jobs and what they should of been doing in the first place, but faster.
How about the wonderful job Microsoft did of doing things right in the first place? Why is it that my XP machine is STILL getting security fixes?
Because 95% of the world uses it so people have a reason to expend lots of resources to find any potential problems.
Three years in the making... not bad.
:-D