toggle

AAPL Stock: 111.78 ( -0.87 )

Printed from http://www.macnn.com

Leopard security bug fix on the way? [U]

updated 01:35 am EST, Wed November 10, 2010

Security firm goes public after missed deadlines

[Update: This bug has been fixed as part of Security Update 2010-007, released today] An important security bug in Mac OS X 10.5 (Leopard) that remains unpatched despite missed deadlines from Apple has forced Core Security Technologies to go public with the exploit, even though a fix may be imminent. Apple was informed of the flaw, which has also been used to create jailbreaking software for iOS devices, and has already developed a patch -- but has missed two promised deadlines to release it, says the firm.

The problem, which centers around a flaw in the way OS X parses Compact Font Format (CFF) fonts, only affects 10.5.x and not Snow Leopard. Apple fixed the same flaw in iOS in mid-August, but Core notified Apple of the problem in Leopard later that same month. Apple first promised the security company a fix in mid-October, then pushed it back to November 3rd. When that second deadline was missed, Core went public with the vulnerability, concerned that attackers will have had time to develop malware based on the exploit, which could still affect up to one-third of Apple's 50 million-plus userbase.

Apple plans to release 10.6.5 in the near future, and updates to iTunes and iOS itself are also expected shortly. It's possible that the company is waiting to roll out the Leopard patch with these other updates rather than issue a Leopard fix by itself. So far, there have been no reports of any malware based on this flaw "in the wild."




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. FireWire

    Joined: Dec 1969

    0

    forced.. forced!!

    They had no other solution, like waiting a few more days.. effing scums... Apple didn't manage to finish the patches in time, so we're FORCED to reveal the vulnerability to the whole world...

  1. testudo

    Joined: Dec 1969

    +5

    Re: forced.. forced!!

    They had no other solution, like waiting a few more days.. effing scums...

    Yes, forced, as in "Let the public know of a serious security vulnerability, so they can make an educated decision on how to deal with it, rather than living in a fantasy world their OS is secure and has no issues."

    A lot of you all seem to think that only one person can find a vulnerability and if they kept quiet, no one would know. Truth is, if a security company can find it, how many hackers and the like already know?"

    Apple didn't manage to finish the patches in time, so we're FORCED to reveal the vulnerability to the whole world...

    The whole point of announcing it is to FORCE the company to release a patch. Otherwise they might just sit on it because it's "too hard" to fix, or "that's our old OS, we don't really support it".

    For, perhaps you didn't read the article and noticed that Apple has known about the flaw since August (2+ months ago). And they missed not one, but two, self-imposed deadlines for releasing the fix. And note that it is a bug they fixed in the iOS, so one would expect the fix to be not much different for Leopard, as they're based, supposedly, on the same code.

    So, yes, they were FORCED to announce it because all they got from Apple was "Yeah, yeah, we'll get to it.".

    BTW, if MS did the above, you'd probably be raising holy h*** on them for not fixing it immediately and instead waiting for 2 months.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lackin ...

toggle

Most Commented