RSSApple's vulnerability patch count: 10 QuickTime, 1 iTunes, 0 Java
By Angela Gunn | Published June 1, 2009, 6:03 PM
Is Cupertino straining at gnats while much larger objects float in the punchbowl? Security professionals might wonder, as Apple on Monday released a 7.6.2 update to QuickTime that patches ten security holes in that player. The notorious Java hole reported last year and exploited at pwn2own in February remained untouched.
Many of the patches address -- what else? -- buffering issues. A problem brought to Apple's attention by a researcher working with TippingPoint's Zero Day Initiative, in which a heap buffer overflow could be triggered by a maliciously crafted FLC file, has been addressed. Compressed PSD files could also be used to trigger a buffer overflow; that's been taken care of. (Another score for the Zero Day Initiative, by the way, which gets full or partial credit for six vulnerabilities addressed this time around.) Heap buffer overflow issues with MS ADPCM-encoded movie files, CRGN (Clipping Region) atom types in movie files, and JP2 files also met their makers.
A memory-corruption issue in QuickTime's handling of Sorenson 3 (video) files has been addressed, as have two problems with QuickTime's handling of PICT images. There was a sign extension issue in QuickTime's handling of image description atoms that Apple addressed by improving validation for that code, and one that could trigger a application crash or even arbitrary code execution if the user data atom size equaled zero.
Eight of the patches apply to both Mac OS X (v. 10.4.11 and later) and Windows users, while two -- the CGRN problem and an integer-underflow error addressed in one of the PICT-related patches -- are strictly for users of XP SP3 and Vista.
Apple also released an iTunes update today, raising the version number to 8.2. The upgrade included one security fix, which addressed a stack buffer overflow issue that could be triggered if the user were to visit a maliciously crafted "itms:" URL. The problem, which has been patched with better bounds checking, could have led to an iTunes crash or to unwanted code execution.
kitty: Get in an accident that leaves you completely unable to spam.
Thank you.
Score: 0
|:-) Spammer fried, PC_Tool. Or 'kitty is roadkill', if you prefer.
Score: 0
|Ahhh... I feel much better now. ;D
Score: 0
|It must be true. Hackers/virus writers just can't make a virus for OSx or the iPhone. It's 100% safe.. Life is great..
Score: -1
|QuickTime is becoming the new Real Player. Outdated, bloated, and not relevant. I gave up on it in favor of the qt alternative codec. I suggest you do the same.
Score: 0
|Yes no reason for 5 media players on your machine. 1 will do just add the codex. and who wants iTunes on your machines..
Score: 0
|I want iTunes and QuickTime on my machines because of my iPods.
It isn't the best on Windows, but I'd say with some certainty that they really have to work around Microsoft to get things done, as was the case with office applications and anywhere else Microsoft has applications for sale. Windows has more alternative runtime environments on it (GTK+, Qt) and Apple used their own for iTunes, which adds to the baggage.
Score: 0
|???
So because Apple chose to use some obscure development tools it's Microsoft's fault?
Nice.
Score: 0
|is it just me or is apple failing alot lately? maybe its on purpose
Score: 2
|It's Just you.
Score: -5
|Contrary to iTard's lovely reasoned response...
It could very well be that a large number of vulnerabilities have existed for quite some time and have either gone unreported (Who cares about the Mac?) or have simply slipped through the cracks because there weren't enough users...no-one noticed.
Suddenly Apple's seeing a lot more users, a lot more scrutiny, and a lot more press. All of these things combined will lead to finding more/reporting more vulnerabilities.
...or it could just be you. ;)
Score: 2
|Considering how many problems there have been in QuickTime, I'm glad they're working on it. It took them years to do something. The version of Samba they had been using was over two years old when they finally replaced/fixed it and all they really had to do was use or integrate the open source changes.
Still, the exploits are generally difficult to exploit without a stupid user because they require authorisation. Many have to be executed locally, which isn't likely to happen either. Some require services that are not running by default on a shipped system.
Java has turned into the opposite of what Apple originally said about it. It is not the best implementation by far--it's close to the worst.
Score: 1
|The best bit?
WMP plays .mov in Win7. No more need for QT in Windows! :D
Score: 1
|I have a few .mov files that don't/didn't play on WMP in Windows 7. I'm not sure what the deal with that is. I HAD to get Quicktime to play them....then I thought twice, removed QT and got Sharks' Windows 7 codecs and things have been copasetic since.
Now everything...EVERYTHING plays in WMP. Sorry, OT for a sec there.
I've always thought and said that Apple's self proclaimed invulverability was unreal. Plain and simple, the more popular OSX becomes, the more issues it will see. That they haven't patched this after all this time is either a testament to their ignorance or arrogance....heck, maybe both?
Score: 0
|Yet again apple has yet to fail me for sheer lulz when it comes to security patching, their users/fanatics taut how MS and windows are so insecure and full of holes, yet apple is just as if not more guilty of NOT fixing KNOWN EXPLOITS for months or even years.
Score: 5
|And that's why Apple recently hired a "security expert".
I guess there's a lot more security problems than the public really knows.
Score: 0
|