November 10, 2010, 2:03 PM — Security researchers today warned that Apple's OS X contains a critical vulnerability that attackers could use to hijack Macs running the older Leopard version of the operating system.
Although Leopard was supplanted by the new Snow Leopard operating system more than a year ago, the older version still accounts for about a third of all installations of Mac OS X.
The bug is a variation of one Apple patched last August in iOS. The flaw was used to "jailbreak" iOS 4 devices, and could also be exploited to plant malware or commandeer an iPhone , iPad or iPod Touch.
According to Core Security Technologies, which issued an advisory Monday, Apple has wrapped up work on a patch.
Nonetheless, Core released its warning, and explained why.
"We are normally very flexible, and will re-schedule [our advisories'' releases] when a vendor shows us that they are committed to fixing the bug," said Pedro Varangot, a researcher in CoreLabs, the R&D arm of Core Security. "We released the advisory because Apple told us that they already have the patch ready for release, twice told us that they would release it, but then didn't meet their own self-imposed deadlines."
By Core's timeline, the company reported the vulnerability to Apple on Aug. 26, two weeks after Apple patched the same flaw in iOS. Apple first told Core it would ship a fix Oct. 25, then after failing to do so, said it would address the bug by Nov. 3.
"We gave them enough time," said Varangot, who added that Core e-mailed Apple a final warning last week that it would publish an advisory Monday, but heard nothing back from the company's security team.
The vulnerability is in Apple's parsing of CFF (compact font format) fonts, and affects Mac OS X 10.5, or Leopard. Mac OS X 10.6, dubbed " Snow Leopard ," is not vulnerable, said Varangot. Apple confirmed that to Core, he said.
"Apple changed the FreeType library used in 10.6, and that library doesn't have the vulnerability," Varangot said.