‘Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch Vulnerability’
‘The information has been provided by Anibal Sacco and Matias Eissler.
The original article can be found at: http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch‘
* Apple Mac OSX v10.5.x
* Apple Mac OSX v10.6
This vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Mac OS X v10.5.x to view or download a PDF document containing a embedded malicious CFF font (Compact Font Format.)
This vulnerability is a variation of the vulnerability labeled as CVE-2010-1797 (FreeType JailbreakMe iPhone exploit variation).
When loading a PDF with an embedded CFF font a sign mismatch error exists in ATSServer when handling the last offset value of the CharStrings INDEX structure.
This could be triggered in different ways:
– When trying to make a thumbnail of the file
– When trying to open the file with the Preview app
– Serving the file in a web server and tricking the user to click on it.
– Embedded in an email (if handled by Mail.app)
This allows to corrupt the process memory by controlling the size parameter of a memcpy function call allowing an attacker to get code execution.
For further information about this issue look at the Apple security updates pages:
Apple security updates
Apple security updates are available via the Software Update mechanism:
Apple security updates are also available for manual download via:
2010-08-26: Vendor contacted
2010-11-01: Apple acknowledges
2010-11-08: Core publishes advisory CORE-2010-0825.’