toggle

AAPL Stock: 124.25 ( -0.18 )

Printed from http://www.macnn.com

QuickTime 7.1.3 fixes 6 security flaws

updated 03:00 pm EDT, Tue September 12, 2006

QuickTime 7.1.3 released

Apple today released QuickTime 7.1.3, offering several functionality improvements and fixing six security flaws. The update repairs issues which prevent users from maliciously crafting H.254 movies, QuickTime movies, FLC movies, FlashPix files, and SGI images which could cause application crashes and/or result in arbitrary code execution. The QuickTime update requires Mac OS X 10.3.9 or later, and is available for free. [updated]

Apple has offered details on the security vulnerabilities fixed by QuickTime 7.1.3, offering credit to those companies and individuals who discovered and/or reported the issues.

By carefully crafting a corrupt H.264 movie, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of H.264 movies. Apple offers credit to Sowhat of Nevis Labs, Mike Price of McAfee AVERT Labs, and Piotr Bania of piotrbania.com for reporting these issues.

By carefully crafting a corrupt QuickTime movie, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of QuickTime movies. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt FLC movie, an attacker can trigger a heap buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FLC movies. Apple offers credit to Ruben Santamarta of reversemode.com working with the iDefense VCP Program, and Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt FlashPix file, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FlashPix files. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt FlashPix file, an attacker can trigger an exception leaving an uninitialized object. This may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of FlashPix files. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.

By carefully crafting a corrupt SGI image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional validation of SGI image files. Apple offers credit to Mike Price of McAfee AVERT Labs for reporting this issue.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Advertisement

Recent Reviews

Apple 13-inch MacBook Pro (Early 2015)

Although the new darling of the Apple MacBook line up is the all-new MacBook, Apple has given its popular 13-inch MacBook Pro with Ret ...

Griffin Twenty

A few years ago Griffin launched the original Twenty, a small digital amp that used an AirPort Express to turn any set of passive spea ...

Seagate Wireless

It seems like no matter how much internal storage is included today's mobile devices, we, as users, will always find a way to fill th ...

toggle

Most Commented