toggle

AAPL Stock: 111.78 ( -0.87 )

Printed from http://www.macnn.com

QuickTime 7.1.3 fixes 6 security flaws

updated 03:00 pm EDT, Tue September 12, 2006

QuickTime 7.1.3 released

Apple today released QuickTime 7.1.3, offering several functionality improvements and fixing six security flaws. The update repairs issues which prevent users from maliciously crafting H.254 movies, QuickTime movies, FLC movies, FlashPix files, and SGI images which could cause application crashes and/or result in arbitrary code execution. The QuickTime update requires Mac OS X 10.3.9 or later, and is available for free. [updated]

Apple has offered details on the security vulnerabilities fixed by QuickTime 7.1.3, offering credit to those companies and individuals who discovered and/or reported the issues.

By carefully crafting a corrupt H.264 movie, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of H.264 movies. Apple offers credit to Sowhat of Nevis Labs, Mike Price of McAfee AVERT Labs, and Piotr Bania of piotrbania.com for reporting these issues.

By carefully crafting a corrupt QuickTime movie, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of QuickTime movies. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt FLC movie, an attacker can trigger a heap buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FLC movies. Apple offers credit to Ruben Santamarta of reversemode.com working with the iDefense VCP Program, and Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt FlashPix file, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FlashPix files. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt FlashPix file, an attacker can trigger an exception leaving an uninitialized object. This may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FlashPix files. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt SGI image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of SGI image files. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lackin ...

toggle

Most Commented