|
|
|
|
| |
Credit:
The information has been provided by Anibal Sacco and Matias Eissler.
The original article can be found at: http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch
|
| |
Vulnerable Systems:
* Apple Mac OSX v10.5.x
Immune Systems:
* Apple Mac OSX v10.6
This vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Mac OS X v10.5.x to view or download a PDF document containing a embedded malicious CFF font (Compact Font Format.)
This vulnerability is a variation of the vulnerability labeled as CVE-2010-1797 (FreeType JailbreakMe iPhone exploit variation).
When loading a PDF with an embedded CFF font a sign mismatch error exists in ATSServer when handling the last offset value of the CharStrings INDEX structure.
This could be triggered in different ways:
- When trying to make a thumbnail of the file
- When trying to open the file with the Preview app
- Serving the file in a web server and tricking the user to click on it.
- Embedded in an email (if handled by Mail.app)
This allows to corrupt the process memory by controlling the size parameter of a memcpy function call allowing an attacker to get code execution.
Patch Availability:
For further information about this issue look at the Apple security updates pages:
Apple security updates
http://support.apple.com/kb/HT1222
Apple security updates are available via the Software Update mechanism:
http://support.apple.com/kb/HT1338
Apple security updates are also available for manual download via:
http://www.apple.com/support/downloads/
CVE Information:
CVE-2010-4010
Disclosure Timeline:
2010-08-26: Vendor contacted
2010-11-01: Apple acknowledges
2010-11-08: Core publishes advisory CORE-2010-0825.
|
|
|
|
|
