Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Apple Safari web browser contains a remote code execution vulnerability in its Fonts feature. If a user were to open a malicious web page in Safari, they could trigger a type confusion, resulting in memory corruption and possibly arbitrary code execution. An attacker would need to trick the user into visiting the web page by some means to trigger this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details Apple Safari FontFaceSet remote code execution vulnerability (TALOS-2019-0967/CVE-2020-3868)

A type confusion vulnerability exists in the Fonts feature of Apple Safari, version 13.0.3. A specially crafted HTML web page can cause a type confusion, resulting in memory corruption and possibly arbitrary code execution. To trigger this vulnerability, the target application needs to process a specially crafted HTML web page.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos tested and confirmed that this vulnerability affects Safari, version 13.0.3 (15608.3.10.1.4); Safari technology preview release 96 (Safari 13.1, WebKit 15609.1.9.7) and Webkit GIT e4cd3b4fab6166d1288984ded40c588439dab925.

Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52415, 52416