Vulnerability Note VU#410281

Apple Mac OS X CoreText embedded font vulnerability

Original Release date: 02 Feb 2012 | Last revised: 28 Mar 2012

Overview

Apple Mac OS X CoreText contains a use-after-free vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Apple Mac OS X CoreText is a text layout and font processing engine that is used to handle embedded fonts.CoreText contains a use-after-free vulnerability that can allow arbitrary code execution.

Impact

By convincing a user to open a document with a specially-crafted embedded font, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.

Solution

Apply an update

This issue is addressed in OS X Lion v10.7.3 and Security Update 2012-001.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Inc.Affected20 Oct 201102 Feb 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 9.0 AV:N/AC:M/Au:N/C:C/I:C/A:P
Temporal 7.0 E:POC/RL:OF/RC:C
Environmental 7.0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2011-3449
  • Date Public: 02 Feb 2012
  • Date First Published: 02 Feb 2012
  • Date Last Updated: 28 Mar 2012
  • Severity Metric: 5.77
  • Document Revision: 5

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.