CESA-2009-011 - rev 1

[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

ColorSync ICC parsing heap overflow

Programs affected: ColorSync (as used by Safari)
Fixed: Mac OS X v10.5.8
Severity: Arbitrarty code execution from remote.
Vendor URL: About the security content of Security Update 2009-003 / Mac OS X v10.5.8

It turns out that one of the sample files for my recent LittleCMS (lcms) vulnerabilities also crashed Safari when you attempted to view it.

The cause is a heap-based buffer overflow in Apple's ColorSync component (which handles colour profile parsing). ColorSync is a different parsing implementation to LittleCMS. So it's one of those interesting cases where dissimilar implementations have a very similar bug.

Now fixed in the latest Apple updates.

CESA-2009-011 - rev 1
Chris Evans