Apple OS X Leopard Harbors Same iOS Bug, Apple Delays Patch

Hackers can take advantage of a critical vulnerability in Apple OS X to take over Macs, warned security researchers on Nov. 8.

The vulnerability is in Leopard, an older verson of the Macintosh operating system. Despite the release of Snow Leopard more than a year ago, Leopard still accounts for approximately a third of the current installed base, the researchers said.

The warning was issued by CoreLabs Research, the research arm of Core Security Technologies. According to the security advisory, Apple wrapped up work on the patch as of Oct. 22.

According to Core, Apple set two release dates for the patch but “failed” to meet their dates without “any notice or explanation.” First expected as part of a “Mac OS 10.5 security update” scheduled for the week of Oct. 25, Apple rescheduled the release to a week later without warning.

Core researchers decided to proceed with the security advisory even though the patch allegedly exists because it was not clear when the fix will actually be rolled out to users.

It is a variation of the bug Apple patched last August in iOS that allowed developers to jailbreak iOS 4 devices, according to the researchers. That security flaw could have been exploited to plant malware or take over iOS mobile devices, including the iPhone, iPod Touch, and iPad.

The bug is specific to Mac OS X 10.5, or Leopard, and Apple verified that OS X 10.6, or Snow Leopard, is not vulnerable, said Core researchers. Core highly recommended upgrading to OS X 10.6 instead of waiting for the security update. Apple’s assigned identifier for this bug is CVE-2010-1797, said Core.

The issue is with how FreeType, an open-source font engine Apple uses in Mac OS X and iOS, parses compact font formant (CFF) fonts, Apple said of the iOS bug. FreeType has already patched the CFF bug in its source code, according to the project’s developers.

A remote attacker can execute arbitrary code by “enticing” a Mac OS X 10.5.x to view or download a PDF document containing an embedded malicious CFF font, said Core researchers.

According to Core, malicious code in the PDF file can be triggered when the operating system tries to make a thumbnail of the file, a user tries to open the file with the Preview application, users click on it from a Web site, or Mail.app accesses the e-mail it is embedded in.

Many security experts noted that Mac users are often oblivious to potential security threats. While vendors like ESET and Sophos offer anti-virus software for the Mac, there is still a false sense of invulnerability among Mac users. Sophos security expert Graham Cluley speculated recently that Apple does not publicly announce anti-malware security updates for marketing reasons: “Shh! Don’t tell folks that we have to protect against malware on Mac OS X!” he wrote.

Core reported the vulnerability to Apple on Aug. 26, two weeks after the iOS hole was patched. Core initially planned to publish the security warning on Sept. 28, but Apple said it would not be able to finish the patch by that date, according to Core’s timeline of events.

Apple tentatively set Oct. 18 for the update, and then finalized the fix for Oct. 25. When Core contacted the security team on Nov. 1 for an update because there was “no notice of any Apple security update,” Apple said the date had been rescheduled to the “middle of the week” of Nov. 1. At this point, Core researchers informed Apple they would go ahead and publish their warning regardless of what Apple decided to do.