CVE-2014-1255

Vulnerability

Apple Type Services (ATS) in Apple OS X versions prior to 10.9.2 does not properly validate calls to the free function when processing Mach messages. This improper validation allows an attacker to trigger a double-free or use-after-free condition. The vulnerability is reachable without special configuration, as ATS is a core system service that handles font processing and is exposed to Mach IPC.

Exploitation

An attacker needs to be able to send crafted Mach messages to the ATS service. No authentication is required beyond the default sandbox context; the attacker may already be running under App Sandbox restrictions. The attack involves sending a sequence of Mach messages that cause ATS to call free on a pointer that has already been freed, leading to memory corruption. The exact steps are not publicly detailed but exploit the lack of validation in the free call.

Impact

Successful exploitation allows an attacker to bypass the App Sandbox protection mechanism, escaping the sandbox and gaining arbitrary code execution with the privileges of the ATS process (typically full system privileges). This results in complete compromise of confidentiality, integrity, and availability of the affected system.

Mitigation

Apple addressed this vulnerability in OS X Mavericks v10.9.2, released on February 25, 2014 [1]. The update is available via Software Update or the Apple Support website. No workarounds are provided; users should apply the update immediately. This CVE is not listed on CISA's Known Exploited Vulnerabilities catalog.