Critical hole in Mac OS X 10.5.x

An advisory by security firm Core Security says that Mac OS X 10.5 (Leopard) contains a variant of a vulnerability which originally became know as the jailbreakme hole. According to the report, the flaw in the code for processing embedded fonts was first detected in the iPhone last August, but also affects the old, but currently still officially supported version of Mac OS X. Core Security say that the hole allows attackers to inject arbitrary code into vulnerable machines via specially crafted PDF documents and to execute it there at the user's privilege level.

Apple has reportedly confirmed the problem and is said to be working on a fix. Core Security say that an update was planned to be released by the end of October. It is unclear why the update hasn't yet been released; after all, Apple has known of the problem for two months. It appears that Core Security may intend to put pressure on Apple by issuing their advisory. However, Mac OS X 10.5 is probably no longer in widespread use, and the current version, Mac OS X 10.6.x (Snow Leopard), is not vulnerable.

According to the advisory, the flaw is a variant of an old hole in the FreeType library for processing fonts in Compact Font Format (CFF). The variation is that Mac OS X uses the Apple Type Services (ATS) font rendering engine instead of FreeType. A negative offset value in a data structure can reportedly be exploited to copy code into memory areas.

Apple already closed a similar hole in ATS last June – however, both Mac OS X 10.5.x and 10.6.x were affected at the time.

(trk)