Apple issues two security updates this week
Apple has released a couple of important security updates this week. The first, APPLE-SA-2008-02-05 iPhoto 7.1.2, was released yesterday and addresses a highly critical vulnerability present in iPhoto:
The second, APPLE-SA-2008-02-06 QuickTime 7.4.1, released today is an update that addresses a highly critical vulnerability in QuickTime for Mac OS X and Windows XP/Vista:
Available for: iPhoto ’08 7.1
Impact: Subscribing to a maliciously crafted photocast may lead to arbitrary code execution
Description: A format string vulnerability exists in iPhoto. By enticing a user to subscribe to a maliciously crafted photocast, a remote attacker may cause arbitrary code execution. This update addresses the issue through improved handling of format strings when processing photocast subscriptions. Credit to Nathan McFeters of Ernst & Young's Advanced Security Center for reporting this issue.
Impact: Subscribing to a maliciously crafted photocast may lead to arbitrary code execution
Description: A format string vulnerability exists in iPhoto. By enticing a user to subscribe to a maliciously crafted photocast, a remote attacker may cause arbitrary code execution. This update addresses the issue through improved handling of format strings when processing photocast subscriptions. Credit to Nathan McFeters of Ernst & Young's Advanced Security Center for reporting this issue.
The second, APPLE-SA-2008-02-06 QuickTime 7.4.1, released today is an update that addresses a highly critical vulnerability in QuickTime for Mac OS X and Windows XP/Vista:
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Visiting a malicious website may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of HTTP responses when RTSP tunneling is enabled. By enticing a user to visit a maliciously crafted webpage, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
Impact: Visiting a malicious website may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of HTTP responses when RTSP tunneling is enabled. By enticing a user to visit a maliciously crafted webpage, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
Technorati Tags: apple, iphoto, mac os x, quicktime, security, software update, vulnerabilities, windows vista
