=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN136
_____________________________________________________________________

DATE                      : 15/04/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Mac OS X version 10.5.8, 10.6.3 running ATS.

======================================================================
http://support.apple.com/kb/HT4131
______________________________________________________________________

APPLE-SA-2010-04-14-1 Security Update 2010-003

Security Update 2010-003 is now available and addresses the
following:

ATS
CVE-ID:  CVE-2010-1120
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.3, Mac OS X Server v10.6.3
Impact:  Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description:  An unchecked index issue exists in Apple Type Services'
handling of embedded fonts. Viewing or downloading a document
containing a maliciously crafted embedded font may lead to arbitrary
code execution. This issue is addressed through improved index
checking. Credit to Charlie Miller working with TippingPoint's Zero
Day Initiative for reporting this issue.


Security Update 2010-003 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.6.3 and Mac OS X Server v10.6.3
The download file is named: SecUpd2010-003Snow.dmg
Its SHA-1 digest is: aa1579322ef07a1637b35a3ac02612ca5a22a74a

For Mac OS X v10.5.8
The download file is named: SecUpd2010-003.dmg
Its SHA-1 digest is: 3f82f68f5a96a0c103fcc3ad88da9451b48def08

For Mac OS X Server v10.5.8
The download file is named: SecUpdSrvr2010-003.dmg
Its SHA-1 digest is: bc299a8932d02cf8e10bdb82ca6f21908d9ba50a

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================