Researchers sound alarm over critical Mac OS X bug

Core Security issues warning after Apple missed two patch deadlines

Security researchers today warned that Apple's OS X contains a critical vulnerability that attackers could use to hijack Macs running the older Leopard version of the operating system.

Although Leopard was supplanted by the new Snow Leopard operating system more than a year ago, the older version still accounts for about a third of all installations of Mac OS X.

The bug is a variation of one Apple patched last August in iOS. The flaw was used to "jailbreak" iOS 4 devices, and could also be exploited to plant malware or commandeer an iPhone , iPad or iPod Touch.

According to Core Security Technologies, which issued an advisory Monday, Apple has wrapped up work on a patch.

Nonetheless, Core released its warning, and explained why.

"We are normally very flexible, and will re-schedule [our advisories'' releases] when a vendor shows us that they are committed to fixing the bug," said Pedro Varangot, a researcher in CoreLabs, the R&D arm of Core Security. "We released the advisory because Apple told us that they already have the patch ready for release, twice told us that they would release it, but then didn't meet their own self-imposed deadlines."

By Core's timeline, the company reported the vulnerability to Apple on Aug. 26, two weeks after Apple patched the same flaw in iOS. Apple first told Core it would ship a fix Oct. 25, then after failing to do so, said it would address the bug by Nov. 3.

"We gave them enough time," said Varangot, who added that Core e-mailed Apple a final warning last week that it would publish an advisory Monday, but heard nothing back from the company's security team.

The vulnerability is in Apple's parsing of CFF (compact font format) fonts, and affects Mac OS X 10.5, or Leopard. Mac OS X 10.6, dubbed " Snow Leopard", is not vulnerable, said Varangot. Apple confirmed that to Core, he said.

"Apple changed the FreeType library used in 10.6, and that library doesn't have the vulnerability," Varangot said.

The connection to iOS jailbreak bug was an important reason why Core jumped the advisory gun. Although Varangot said that the exploit code released last summer for iOS 4 wouldn't work as is on Mac OS X 10.5, Core feared that there was enough public information for criminal researchers to have found the flaw in Leopard and come up with attack code, too.

"Someone else may have already discovered this vulnerability, and may be using it for targeted attacks," Varangot said. "The Jailbreakme hack received a lot of attention in the press, and a lot of researchers looked at it. It wouldn't be anything original if someone had found this bug [in Mac OS X]."

Three months ago, other researchers wondered whether Mac OS X also harbored the vulnerability used by the jailbreakme.com site to hack iPhones. "Apple no patchy OS X. Is it not vulnerable or do they only care in stopping jailbreaking?" tweeted Charlie Miller after Apple patched the bug in iOS 4 on Aug. 11.

Miller weighed in today as well. "Classic timeline of Apple-researcher communication and why researchers don't want the hassle," said Miller on Twitter , pointing to Core's advisory.

Anibal Sacco, one of the two Core Security researchers who discovered the vulnerability, also hinted at the difficulties security experts sometimes encounter when working with Apple.

"Apple likes to establish dates that it is not going to honor and, to be honest, it looks like some kind of power demonstration [to] me," Sacco said on his personal blog Tuesday.

Sacco is the manager of Core's OS X platform development.

Recent reports by Apple-centric blogs, including Tuaw.com, have said that Apple will likely update Mac OS X, including Leopard, very soon.

Varangot is wishing that's the case. "Apple has twice missed its own deadline [for a patch], so I hope they release it soon," he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Appleoperating systemssoftwareCore Security TechnologiesMalware and VulnerabilitiesMac OS

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?