The iOS 4 bug that allowed hackers to jailbreak iPhones exists in Mac OS X 10.5, or Leopard. While Apple has the patch, it won't release it.
Hackers can take advantage of a critical
vulnerability in Apple OS X to take over Macs, warned security
researchers on Nov. 8.
The vulnerability is in Leopard, an older
verson of the Macintosh operating system. Despite the release of Snow
Leopard more than a year ago, Leopard still accounts for approximately
a third of the current installed base, the researchers said.
The warning was issued by CoreLabs Research
the research arm of Core Security Technologies. According to the
security advisory, Apple wrapped up work on the patch as of Oct.
According to Core, Apple set two release dates
for the patch but "failed" to meet their dates without "any notice or
explanation." First expected as part of a "Mac OS 10.5 security update"
scheduled for the week of Oct. 25, Apple rescheduled the release to a
week later without warning.
Core researchers decided to proceed with the
security advisory even though the patch allegedly exists because it was
not clear when the fix will actually be rolled out to users.
It is a variation of the bug Apple patched last August in iOS that allowed developers to jailbreak iOS 4 devices
according to the researchers. That security flaw could have been
exploited to plant malware or take over iOS mobile devices, including
the iPhone, iPod Touch, and iPad.
The bug is specific to Mac OS X 10.5, or
Leopard, and Apple verified that OS X 10.6, or Snow Leopard, is not
vulnerable, said Core researchers. Core highly recommended upgrading to
OS X 10.6 instead of waiting for the security update. Apple's assigned
identifier for this bug is CVE-2010-1797, said Core.
The issue is with how FreeType, an open-source
font engine Apple uses in Mac OS X and iOS, parses compact font formant
(CFF) fonts, Apple said of the iOS bug. FreeType has already patched the CFF bug
in its source code, according to the project's developers.
A remote attacker can execute arbitrary code by
"enticing" a Mac OS X 10.5.x to view or download a PDF document
containing an embedded malicious CFF font, said Core researchers.
According to Core, malicious code in the PDF
file can be triggered when the operating system tries to make a
thumbnail of the file, a user tries to open the file with the Preview
application, users click on it from a Web site, or Mail.app accesses
the e-mail it is embedded in.
Many security experts noted that Mac users are often oblivious to potential security threats. While vendors like ESET and Sophos offer anti-virus software for the Mac
there is still a false sense of invulnerability among Mac users. Sophos
security expert Graham Cluley speculated recently that Apple does not
publicly announce anti-malware security updates
for marketing reasons: "Shh! Don't tell folks that we have to protect against malware on Mac OS X!" he wrote.
Core reported the vulnerability to Apple on
Aug. 26, two weeks after the iOS hole was patched. Core initially
planned to publish the security warning on Sept. 28, but Apple said it
would not be able to finish the patch by that date, according to Core's
timeline of events.
Apple tentatively set Oct. 18 for the update,
and then finalized the fix for Oct. 25. When Core contacted the
security team on Nov. 1 for an update because there was "no notice of
any Apple security update," Apple said the date had been rescheduled to
the "middle of the week" of Nov. 1. At this point, Core researchers
informed Apple they would go ahead and publish their warning regardless
of what Apple decided to do.