‘Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch Vulnerability’


The Apple Type Services is prone to memory corruption due a sign mismatch vulnerability when handling the last offset value of the CharStrings INDEX structure.’


‘The information has been provided by Anibal Sacco and Matias Eissler.
The original article can be found at: http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch


Vulnerable Systems:
 * Apple Mac OSX v10.5.x

Immune Systems:
 * Apple Mac OSX v10.6

This vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Mac OS X v10.5.x to view or download a PDF document containing a embedded malicious CFF font (Compact Font Format.)

This vulnerability is a variation of the vulnerability labeled as CVE-2010-1797 (FreeType JailbreakMe iPhone exploit variation).

When loading a PDF with an embedded CFF font a sign mismatch error exists in ATSServer when handling the last offset value of the CharStrings INDEX structure.

This could be triggered in different ways:

– When trying to make a thumbnail of the file
– When trying to open the file with the Preview app
– Serving the file in a web server and tricking the user to click on it.
– Embedded in an email (if handled by Mail.app)

This allows to corrupt the process memory by controlling the size parameter of a memcpy function call allowing an attacker to get code execution.

Patch Availability:
For further information about this issue look at the Apple security updates pages:
Apple security updates
Apple security updates are available via the Software Update mechanism:
Apple security updates are also available for manual download via:

CVE Information:

Disclosure Timeline:
2010-08-26: Vendor contacted
2010-11-01: Apple acknowledges
2010-11-08: Core publishes advisory CORE-2010-0825.’

Categories: UNIX