Apple Mac OS X CoreText embedded font vulnerability

Overview

Apple Mac OS X CoreText contains a use-after-free vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Apple Mac OS X CoreText is a text layout and font processing engine that is used to handle embedded fonts.CoreText contains a use-after-free vulnerability that can allow arbitrary code execution.

---

Impact

By convincing a user to open a document with a specially-crafted embedded font, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.

---

Solution

Apply an update

This issue is addressed in OS X Lion v10.7.3 and Security Update 2012-001.

---

Vendor Information

410281

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Inc. Affected

Notified: October 20, 2011 Updated: February 02, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://support.apple.com/kb/HT5130&gt;

CVSS Metrics

Group	Score	Vector
Base	9	AV:N/AC:M/Au:N/C:C/I:C/A:P
Temporal	7	E:POC/RL:OF/RC:C
Environmental	7	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

• <http://support.apple.com/kb/HT5130&gt;
• <http://developer.apple.com/library/mac/documentation/StringsTextFonts/Conceptual/CoreText_Programming/Introduction/Introduction.html&gt;

Acknowledgements

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2011-3449
Severity Metric:	5.77 Date Public: