CVE-2021-1775: 
macOS vulnerability analysis and mitigation

CVE-2021-1775 is a vulnerability discovered in Apple's macOS FontParser component that affects macOS Mojave 10.14.6. The vulnerability was discovered by Mickey Jin and Qi Sun of Trend Micro working with Trend Micro's Zero Day Initiative and was patched in February 2021 as part of macOS Big Sur 11.2 and Security Update 2021-001 Mojave (Apple Security).

The vulnerability exists within the parsing of TTF fonts in the libFontParser library. The specific flaw stems from the lack of proper validation of user-supplied data, which can result in an integer underflow before reading from memory. Apple addressed this issue by removing the vulnerable code (ZDI Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) indicating low severity (ZDI Advisory).

When exploited, this vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. While interaction with the libFontParser library is required to exploit this vulnerability, attack vectors may vary depending on the implementation. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to execute code in the context of the current process (ZDI Advisory).

Apple has addressed this vulnerability by removing the vulnerable code in the Security Update 2021-001 Mojave released on February 1, 2021. Users are advised to update to this version or later to mitigate the risk (Apple Security).