After being public outed by the security company that brought the flaw to Apple’s attention, Apple has released a patch to OS X Leopard (10.5) to fix the critical vulnerability in how CFF font files are handled:
Apple on Wednesday released Security Update 2010-007, bringing the same security patches included in the recent Mac OS X 10.6.5 release to Macs running 10.5 Leopard client or server versions.
Among the more prominent fixes included in the update is a fix for a bug in Apple Type Services which could allow the downloading of a maliciously crafted font file to lead to arbitrary code execution. That bug, originally caught by security firm Core Security, was similar to a vulnerability in Apple’s iOS that allowed hackers to jailbreak devices running that software. Apple patched the flaw in an iOS update
via Security Update 2010-007 patches Mac OS X 10.5 | Operating Systems | MacUser | Macworld.
This flaw, if you remember, was patched in iOS over the summer (which neutered many jailbreak tools) and Snow Leopard isn’t effected by the flaw because fonts are handled differently in 10.6. If you have OS X 10.5 Leopard, you should go to the Apple menu and check for updates now to get the patch.
Get the TNW newsletter
Get the most important tech news in your inbox each week.