From Macworld/Computerworld, Core Security Technologies has gone public with a critical OS X Leopard security bug that Apple has yet to release a patch for although it said it would on Oct 25th and then on Nov 3rd:
Security researchers Tuesday warned that Apple’s OS X contains a critical vulnerability that attackers could use to hijack Macs running the older Leopard version of the operating system.
Although Leopard was supplanted by the new Snow Leopard operating system more than a year ago, the older version still accounts for about a third of all installations of Mac OS X.
The bug is related to how Leopard (OS 10.5) handled CFF (compact file format) fonts, it’s the same what iOS devices could be jailbroken before Apple closed that hole in August. Core Securities Technologies has worked with Apple on this critical flaw, and hasn’t come forward until now out of respect for keeping things out of the hacker community. However, now that Apple has missed another deadline and the flaw is still unpatched, they’ve decided to release the information.
Yes, they gave Apple fair warning, but I wonder if this kind of techno-blackmail will actually work on Apple? With both iOS 4.2 rumored for Friday and 10.6.5 rumored for tomorrow, I doubt that even with a third of the install base vulnerable Apple will rush a patch out the doors now.
And frankly I think that is a shame. If Apple has a patch ready it should just release it even if it draws attention away from bigger OS releases.