Apple fixes multiple QuickTime security flaws

By Bill Brenner, Senior News Writer 11 Jan 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Apple Computer Inc. has fixed a variety of QuickTime flaws attackers could exploit to cause a denial of service or launch malicious code.

The security holes affect Mac OS X and Windows platforms where the media player is running. Apple has released an updated version of QuickTime, 7.0.4, to fix the problems.

According to the Cupertino, Calif.-based company:

More on Apple security Apple patches 13 flaws in Mac OS X Multiple flaws in Apple QuickTime (fourth item) Apple fixes Mac OS X flaws (third item)

The first problem is that a maliciously-crafted QTIF image could be used to launch malicious code. "By carefully crafting a corrupt QTIF image, an attacker can trigger a heap buffer overflow that may result in arbitrary code execution," Apple said. "This update addresses the issue by performing additional validation of GIF images."

The second problem is that viewing a maliciously-crafted TGA image could be used to launch malicious code. "By carefully crafting a corrupt TGA image, an attacker can trigger a buffer overflow, integer overflow, or integer underflow that may result in a denial of service or arbitrary code execution," Apple said. "This update addresses the issue by performing additional validation of TGA images."

The third problem is that viewing a maliciously-crafted TIFF image could be used to launch malicious code. "By carefully crafting a corrupt TIFF image, an attacker can trigger an integer overflow that may result in a denial of service or arbitrary code execution," Apple said. "This update addresses the issue by performing additional validation of TIFF images."

The fourth problem is that a maliciously-crafted GIF image could be used to launch malicious code. "By carefully crafting a corrupt GIF image, an attacker can trigger a heap buffer overflow that may result in arbitrary code execution," Apple said. "This update addresses the issue by performing additional validation of GIF images."

The fifth problem is that a maliciously-crafted media file could be used to launch malicious code. "By carefully crafting a corrupt media file, an attacker can trigger a heap buffer overflow that may result in arbitrary code execution," Apple said. "This update addresses the issue by performing additional validation of media files."

Tags: Alternative OS security: Mac, Linux, Unix, etc.,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Alternative OS security: Mac, Linux, Unix, etc. Machiavelli Mac OS X rootkit unveiled at Black Hat How secure is 'Platform as a Service (PaaS)?' Security comparison: Mac OS X vs. Windows Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method Alternative OS security: Mac, Linux, Unix, etc. Research Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary