14 DAY TRIAL // Apple has recently issued Security Update 2010-005, an 84 MB update that addresses over a dozen flaws in Mac OS X 10.5 Leopard and 10.6 Snow Leopard, both the client and server versions of the operating system.
One of the vulnerabilities is described by Apple as follows:
ATS
CVE-ID: CVE-2010-1808
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.4, Mac OS X Server v10.6.4
Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution
Description: A stack buffer overlow exists in Apple Type Services' handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved bounds checking.
This flaw is notably similar to the “jailbreak vulnerability” that Apple fixed on iOS earlier this month.
At the time, a note on the Support section of Apple’s web site revealed that iOS 4.0.2 “fixes security vulnerability associated with viewing malicious PDF files.”
The vulnerability had allowed hackers to create an untethered jailbreak tool for iOS devices - JailbreakMe 2.0.
Going by the release notes for Security Update 2010-005, the flaw had been present in OS X builds as well.
Mac OS X and iOS share multiple similarities, the latter being only a scaled down, less-featured version of the former.
Other fixes in the 2010-005 security update from Apple cover networking, CoreGraphics, and others. It also updates PHP to version 5.3.2.
Readers can get more information about the update here.
To download the update for your Mac, simply follow one of the links below. Alternately, use the automatic Software Update mechanism from your Mac’s Apple menu.