Researchers sound alarm over critical Mac OS X bug
Core Security issues warning after Apple missed two patch deadlines
Computerworld - Security researchers today warned that Apple's OS X contains a critical vulnerability that attackers could use to hijack Macs running the older Leopard version of the operating system.
Although Leopard was supplanted by the new Snow Leopard operating system more than a year ago, the older version still accounts for about a third of all installations of Mac OS X.
The bug is a variation of one Apple patched last August in iOS. The flaw was used to "jailbreak" iOS 4 devices, and it could also be exploited to plant malware or commandeer an iPhone, iPad or iPod Touch.
According to Core Security Technologies, which issued an advisory on Monday, Apple has wrapped up work on a patch.
Nonetheless, Core released its warning, and explained why.
"We are normally very flexible, and will reschedule [our advisories' releases] when a vendor shows us that they are committed to fixing the bug," said Pedro Varangot, a researcher in CoreLabs, the R&D arm of Core Security. "We released the advisory because Apple told us that they already have the patch ready for release, twice told us that they would release it, but then didn't meet their own self-imposed deadlines."
By Core's timeline, the company reported the vulnerability to Apple on Aug. 26, two weeks after Apple patched the same flaw in iOS. Apple first told Core it would ship a fix on Oct. 25. But after failing to do that, the company then said it would address the bug by Nov. 3.
"We gave them enough time," said Varangot, who added that Core last week e-mailed Apple a final warning saying that it would publish an advisory on Monday, but heard nothing back from the company's security team.
The vulnerability is in Apple's parsing of CFF (compact font format) fonts, and affects Mac OS X 10.5, or Leopard. Mac OS X 10.6, dubbed "Snow Leopard," is not vulnerable, said Varangot. Apple confirmed that to Core, he said.
"Apple changed the FreeType library used in 10.6, and that library doesn't have the vulnerability," Varangot said.
The connection to the iOS jailbreak bug was an important reason why Core jumped the advisory gun. Although Varangot said that the exploit code released last summer for iOS 4 wouldn't work as is on Mac OS X 10.5, Core feared that there was enough public information for criminal researchers to have found the flaw in Leopard and come up with attack code, too.
"Someone else may have already discovered this vulnerability, and may be using it for targeted attacks," Varangot said. "The JailBreakMe hack received a lot of attention in the press, and a lot of researchers looked at it. It wouldn't be anything original if someone had found this bug [in Mac OS X]."
Three months ago, other researchers wondered whether Mac OS X also harbored the vulnerability used by the JailBreakMe.com site to hack iPhones. "Apple no patchy OS X. Is it not vulnerable or do they only care in stopping jailbreaking?" tweeted Charlie Miller after Apple patched the bug in iOS 4 on Aug. 11.
Miller weighed in today as well. "Classic timeline of Apple-researcher communication and why researchers don't want the hassle," said Miller on Twitter, pointing to Core's advisory.
"Apple likes to establish dates that it is not going to honor, and to be honest, it looks like some kind of power demonstration [to] me," Sacco said on his personal blog Tuesday.
Sacco is the manager of Core's OS X platform development.
Recent reports by Apple-centric blogs, including Tuaw.com, have said that Apple will likely update Mac OS X, including Leopard, very soon.
Varangot is wishing that's the case. "Apple has twice missed its own deadline [for a patch], so I hope they release it soon," he said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Apple hands stock worth $12.1M to top execs in retention deal
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts