updated 01:35 am EST, Wed November 10, 2010
Security firm goes public after missed deadlines
[Update: This bug has been fixed as part of Security Update 2010-007, released today] An important security bug in Mac OS X 10.5 (Leopard) that remains unpatched despite missed deadlines from Apple has forced Core Security Technologies to go public with the exploit, even though a fix may be imminent. Apple was informed of the flaw, which has also been used to create jailbreaking software for iOS devices, and has already developed a patch -- but has missed two promised deadlines to release it, says the firm.
The problem, which centers around a flaw in the way OS X parses Compact Font Format (CFF) fonts, only affects 10.5.x and not Snow Leopard. Apple fixed the same flaw in iOS in mid-August, but Core notified Apple of the problem in Leopard later that same month. Apple first promised the security company a fix in mid-October, then pushed it back to November 3rd. When that second deadline was missed, Core went public with the vulnerability, concerned that attackers will have had time to develop malware based on the exploit, which could still affect up to one-third of Apple's 50 million-plus userbase.
Apple plans to release 10.6.5 in the near future, and updates to iTunes and iOS itself are also expected shortly. It's possible that the company is waiting to roll out the Leopard patch with these other updates rather than issue a Leopard fix by itself. So far, there have been no reports of any malware based on this flaw "in the wild."