Researchers sound alarm over critical Mac OS X bug

Core Security issues warning after Apple missed two patch deadlines

By , Computerworld |  Security, Mac OS X

Security researchers today warned that Apple's OS X contains a critical vulnerability that attackers could use to hijack Macs running the older Leopard version of the operating system.

Although Leopard was supplanted by the new Snow Leopard operating system more than a year ago, the older version still accounts for about a third of all installations of Mac OS X.

The bug is a variation of one Apple patched last August in iOS. The flaw was used to "jailbreak" iOS 4 devices, and could also be exploited to plant malware or commandeer an iPhone , iPad or iPod Touch.

According to Core Security Technologies, which issued an advisory Monday, Apple has wrapped up work on a patch.

Nonetheless, Core released its warning, and explained why.

"We are normally very flexible, and will re-schedule [our advisories'' releases] when a vendor shows us that they are committed to fixing the bug," said Pedro Varangot, a researcher in CoreLabs, the R&D arm of Core Security. "We released the advisory because Apple told us that they already have the patch ready for release, twice told us that they would release it, but then didn't meet their own self-imposed deadlines."

By Core's timeline, the company reported the vulnerability to Apple on Aug. 26, two weeks after Apple patched the same flaw in iOS. Apple first told Core it would ship a fix Oct. 25, then after failing to do so, said it would address the bug by Nov. 3.

"We gave them enough time," said Varangot, who added that Core e-mailed Apple a final warning last week that it would publish an advisory Monday, but heard nothing back from the company's security team.

The vulnerability is in Apple's parsing of CFF (compact font format) fonts, and affects Mac OS X 10.5, or Leopard. Mac OS X 10.6, dubbed " Snow Leopard ," is not vulnerable, said Varangot. Apple confirmed that to Core, he said.

"Apple changed the FreeType library used in 10.6, and that library doesn't have the vulnerability," Varangot said.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness