toggle

AAPL Stock: 121.3 ( -1.07 )

Printed from http://www.macnn.com

QuickTime 7.1.3 fixes 6 security flaws

updated 03:00 pm EDT, Tue September 12, 2006

QuickTime 7.1.3 released

Apple today released QuickTime 7.1.3, offering several functionality improvements and fixing six security flaws. The update repairs issues which prevent users from maliciously crafting H.254 movies, QuickTime movies, FLC movies, FlashPix files, and SGI images which could cause application crashes and/or result in arbitrary code execution. The QuickTime update requires Mac OS X 10.3.9 or later, and is available for free. [updated]

Apple has offered details on the security vulnerabilities fixed by QuickTime 7.1.3, offering credit to those companies and individuals who discovered and/or reported the issues.

By carefully crafting a corrupt H.264 movie, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of H.264 movies. Apple offers credit to Sowhat of Nevis Labs, Mike Price of McAfee AVERT Labs, and Piotr Bania of piotrbania.com for reporting these issues.

By carefully crafting a corrupt QuickTime movie, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of QuickTime movies. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt FLC movie, an attacker can trigger a heap buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FLC movies. Apple offers credit to Ruben Santamarta of reversemode.com working with the iDefense VCP Program, and Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt FlashPix file, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FlashPix files. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt FlashPix file, an attacker can trigger an exception leaving an uninitialized object. This may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FlashPix files. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt SGI image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of SGI image files. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

Follow us on Facebook

toggle

Most Popular

Advertisement

Recent Reviews

HP 14-x030nr 14-inch Chromebook

If you're like us, chances are you've come to realize that you need the ability to access the Internet on the go. Also, you've prob ...

15-inch MacBook Pro with Force Touch

Apple's 15-inch Retina MacBook Pro continues to be a popular notebook with professional users and prosumers looking for the ultimate ...

Typo keyboard for iPad

Following numerous legal shenanigans between Typo -- a company founded in part by Ryan Seacrest -- and the clear object of his physica ...

toggle

Most Commented