QuickTime Flaws

Source: blogs.pcmag.com --- 19 days ago
Hot on the heels of Apple patching 9 vulnerabilities in QuickTime an exploit has been released for a previously unknown vulnerability in the program that affects the new, patched version. The problem appears to be in the processing of the " " parameter. Supplying a type value of an excessive length causes a heap overflow. The current exploit only crashes the program, but a report by Symantec's DeepSight analysis services says that the form of the exploit suggests that further refinements may cause code execution. More research is needed. Apple has also released Apple Remote Desktop 3.2.2 to address a vulnerability in it that goes back to OS X 10.3 . This vulnerability allows an unprivileged local user to elevate privileges to root. The problem is in the Open Scripting Architecture libraries. Systems that have applied Security Update 2008-005 are not vulnerable. Symantec is reporting that the flaw is related to a previously-reported privilege escalation bug in the ARDAgent . They say that there is evidence that variants of this attack have been seen in the wild and that it is therefore urgent for users to upgrade their systems. Excerpt: One zero-day exploit is released and one old vulnerability comes back to haunt Apple. ...

Source: cyberinsecure.com --- 21 days ago
Apple released a major update to its iTunes and QuickTime software products, fixing at least 11 documented security vulnerabilities that could lead to Mac and PC takeover attacks. QuickTime 7.5.5, which should be considered an extremely critical update, according to Apple, address nine different vulnerabilities that could cause some serious damage if a Windows or Mac [...] ...

Source: blog.washingtonpost.com --- 26 days ago
Apple on Tuesday released software updates to fix at least 20 security holes in its various products, from the iPod Touch to OS X and Windows versions of iTunes and QuickTime. The iPod Touch update fixes seven Flaws, and is available only through iTunes, which Apple updated to iTunes 8 yesterday. My colleague Mike Musgrove has a nice write-up on the new features in the latest iTunes version, which includes just a couple of security fixes. The more interesting of the two describes a "misleading" warning box from OS X about the safety of poking holes in the built-in firewall to accommodate music sharing in iTunes. From Apple's description: Description: When the firewall is configured to block iTunes Music Sharing and the user enables iTunes Music Sharing in iTunes, a warning dialog is displayed which incorrectly informs the user that unblocking iTunes Music Sharing doesn't affect the firewall's security. Allowing ...

Source: blogs.zdnet.com --- 88 days ago
Apple released patches for its Apple TV 2.1 product yesterday. Some of you might be saying, why do I care, I don't use Apple TV. Well, if you do use Apple TV, you obviously should care as some of these are very serious Flaws, but if you don't, you might still care because of the nature of the Flaws patched for Apple TV. These Flaws were all released for disclosure quite some time ago and are just now being patched. Most were released three months ago, one was released last month, and two were released way back in January. What does that mean? Well, either Apple neglected to patch Apple TV, which might be the case as they recently neglected... ...

Source: blogs.pcmag.com --- 27 days ago
Apple issued a series of updates today to the iPod Touch, QuickTime and iTunes, covering 18 different vulnerabilities. It's not the first time Apple has released a big update on Microsoft's regularly-scheduled Patch Tuesday , perhaps hoping for lesser headlines. 7 of the vulnerabilities are in the iPod Touch , the update for which brings that software to version 2.1. There are Flaws in the application sandbox, in the graphics system, in the Webkit HTML engine, and in networking code. 9 vulnerabilities are in QuickTime and fixed in the new version 7.5.5. All of them data parsing bugs ("...reading data from a maliciously-crafted .blah file could lead to abnormal program termination and remote code execution..."). Several of the vulnerabilities are only on the Windows version of the program. Finally, the new iTunes 8.0 fixes 2 security vulnerabilities . One is only on the Mac and is merely a misleading notification dialog box related to the Apple Firewall. The other vulnerability is Windows-only. A 3rd-party driver provided with iTunes could induce an integer overflow in the program leading to remote code execution. The likelihood, as they say, sounds "remote." ...

Source: www.secuobs.com --- 88 days ago
2008-07-11 19:30:41 - Zero Day : Apple released patches for its Apple TV 21 product yesterday Some ofyou might be saying, why do I care, I don’t use Apple TV Well, if youdo use Apple TV, you obviously should care as some of these are veryserious Flaws, but if you don’t, you might still care because IMAGE ...

Source: www.yourmaclifeshow.com --- 18 days ago
A serious new flaw was disclosed on Thursday that affects the latest versions of Apple's QuickTime and iTunes applications. The National Vulnerability Database entry CVE-2008-4116 describes a heap-based buffer overflow vulnerability within Apple's QuickTime 7.5.5 and iTunes 8.0 programs. To infect a computer, a maliciously coded long-type attribute within a QuickTime tag might be placed on a Web page, or within a .mp4 or .mov file. This could allow remote attackers to crash the applications (known as a denial of service) or possibly execute arbitrary code on a compromised computer. The announcement comes one week after Apple patched nine security Flaws in its media player and fixed Windows Vista problems within its recently updated online music service. ...