toggle

AAPL Stock: 130.28 ( + 0.61 )

Printed from http://www.macnn.com

QuickTime 7.1.3 fixes 6 security flaws

updated 03:00 pm EDT, Tue September 12, 2006

QuickTime 7.1.3 released

Apple today released QuickTime 7.1.3, offering several functionality improvements and fixing six security flaws. The update repairs issues which prevent users from maliciously crafting H.254 movies, QuickTime movies, FLC movies, FlashPix files, and SGI images which could cause application crashes and/or result in arbitrary code execution. The QuickTime update requires Mac OS X 10.3.9 or later, and is available for free. [updated]

Apple has offered details on the security vulnerabilities fixed by QuickTime 7.1.3, offering credit to those companies and individuals who discovered and/or reported the issues.

By carefully crafting a corrupt H.264 movie, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of H.264 movies. Apple offers credit to Sowhat of Nevis Labs, Mike Price of McAfee AVERT Labs, and Piotr Bania of piotrbania.com for reporting these issues.

By carefully crafting a corrupt QuickTime movie, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of QuickTime movies. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt FLC movie, an attacker can trigger a heap buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FLC movies. Apple offers credit to Ruben Santamarta of reversemode.com working with the iDefense VCP Program, and Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt FlashPix file, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FlashPix files. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt FlashPix file, an attacker can trigger an exception leaving an uninitialized object. This may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FlashPix files. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt SGI image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of SGI image files. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Advertisement

Recent Reviews

Brother HL-3140CW Color Laser Printer

It's inevitable, at some point somebody needs a hardcopy of a document. Paper never runs out of battery charge, after all. Our Mom, j ...

Linksys WRT1200AC Wi-Fi Router

Once upon a time, a brand-new Linksys router showed up on our doorstep. So we gathered some network-minded friends together, and hooke ...

Rapoo A300 Mini Bluetooth NFC Speaker

The Rapoo Bluetooth Mini NFC Speaker is a little metallic box about the size of a baseball. In spite of its small size, we were very p ...

toggle

Most Commented