« Neue Get a Mac-Werbung: Yoga und Breakthrough | Start | PwnageTool für Mac OS X veröffentlicht »
3.04.2008
Updates: iTunes 7.6.2, Front Row 2.1.3 und QuickTime 7.4.5
Über Nacht veröffentlichte Apple drei Aktualisierungen:
iTunes 7.6.2 (45MB) «enthält Fehlerbehebungen zur Optimierung der Stabilität und Leistung.»
Front Row 2.1.3 (20,5MB) «enthält Fehlerbehebungen und verbessert die Kompatibilität mit iTunes 7.6.2.»
QuickTime 7.4.5 (rund 50MB, für 10.5, 10.4, 10.3 sowie Windows) «enthält Fehlerbehebungen, die die Zuverlässigkeit des Programms sowie die Kompatibilität mit Drittanbieter-Programmen verbessern und Sicherheitsprobleme beheben.»
Die QuickTime-Aktualisierung erfordert einen Neustart und beseitigt elf Sicherheitslücken, von denen acht Mac OS X wie Windows gleichermaßen betreffen. Ob sich darunter auch die für den Hack von 10.5.2 benutzte Lücke verbirgt ist unklar - eine Reihe der Lücken wurde jedenfalls von TippingPoint's Zero Day Initiative (den Veranstaltern des PWN2OWN-Wettbewerbs) beigetragen. Bislang wurde jedoch angenommen, dass die eigentliche Schwachstelle in Safari 3.1 bzw. WebKit steckt. Details zu den beseitigten Schwachstellen in QuickTime nach dem Klick.
QuickTime
CVE-ID: CVE-2008-1013
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Untrusted Java applets may obtain elevated privileges
Description: An implementation issue in QuickTime for Java allows
untrusted Java applets to deserialize objects provided by QTJava.
Visiting a web page containing a maliciously crafted Java applet
could allow the disclosure of sensitive information, or arbitrary
code execution with the privileges of the current user. This update
addresses the issue by disabling the ability of untrusted Java
applets to deserialize QTJava objects. Credit to Adam Gowdiak for
reporting this issue.
QuickTime
CVE-ID: CVE-2008-1014
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Downloading a movie file may lead to information disclosure
Description: Specially crafted QuickTime movies can automatically
open external URLs, which may lead to information disclosure. This
update addresses the issue through improved handling of external URLs
embedded in movie files. Credit to Jorge Escala of Open Tech
Solutions, and Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs
for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1015
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's handling of data reference
atoms may result in a buffer overflow. Viewing a maliciously crafted
movie file may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of data reference atoms. Credit to
Chris Ries of Carnegie Mellon University Computing Services for
reporting this issue.
QuickTime
CVE-ID: CVE-2008-1016
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's
handling of movie media tracks. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
validation of movie media tracks.
QuickTime
CVE-ID: CVE-2008-1017
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's parsing of 'crgn' atoms may
result in a heap buffer overflow. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
bounds checking. Credit to Sanbin Li working with TippingPoint's Zero
Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1018
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's parsing of 'chan' atoms may
result in a heap buffer overflow. Viewing a maliciously crafted movie
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
bounds checking. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1019
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Opening a maliciously crafted PICT image file may lead to an
unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's handling of PICT records may
result in a heap buffer overflow. Viewing a maliciously crafted PICT
image file may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved bounds checking. Credit to bugfree working with
TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-1020
Available for: Windows Vista, XP SP2
Impact: Opening a maliciously crafted PICT image file may lead to an
unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's handling of error messages
during PICT images processing may result in a heap buffer overflow.
Viewing a maliciously crafted PICT image may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue through improved bounds checking. This issue does
not affect Mac OS X systems. Credit to Ruben Santamarta of
Reversemode.com working with TippingPoint's Zero Day Initiative for
reporting this issue.
QuickTime
CVE-ID: CVE-2008-1021
Available for: Windows Vista, XP SP2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's handling of Animation codec
content may result in a heap buffer overflow. Viewing a maliciously
crafted movie file with Animation codec content may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. This
issue does not affect Mac OS X systems. Credit to an anonymous
researcher working with TippingPoint's Zero Day Initiative for
reporting this issue.
QuickTime
CVE-ID: CVE-2008-1022
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later,
Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted QuickTime VR movie file may
lead to an unexpected application termination or arbitrary code
execution
Description: An issue in QuickTime's parsing of 'obji' atoms may
result in a stack buffer overflow. Viewing a maliciously crafted
QuickTime VR movie file may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved bounds checking. Credit to an anonymous
researcher working with TippingPoint's Zero Day Initiative for
reporting this issue.
QuickTime
CVE-ID: CVE-2008-1023
Available for: Windows Vista, XP SP2
Impact: Opening a maliciously crafted PICT image file may lead to an
unexpected application termination or arbitrary code execution
Description: An issue in QuickTime's parsing of the Clip opcode may
result in a heap buffer overflow. Viewing a maliciously crafted PICT
image file may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved bounds checking. This issue does not affect Mac OS X
systems. Credit to Wei Wang of McAfee AVERT labs for reporting this
issue.
Posted by Leo at 08:08 | Permalink
TrackBack
TrackBack-Adresse für diesen Eintrag:
https://www.typepad.com/services/trackback/6a00d83451c7b569e200e551ab37ca8834
Listed below are links to weblogs that reference Updates: iTunes 7.6.2, Front Row 2.1.3 und QuickTime 7.4.5:
