eWeek Security Watch
Advertisement
Advertisement
January 15, 2008 4:31 PM

Apple Plugs QuickTime, iPhone Security Holes



Here's something that may be buried in the crazy Macworld news cycle: Apple has shipped two high-priority (critical) security patches for the QuickTime, iPhone and iPod Touch products.

The QuickTime update covers at least four serious vulnerabilities that put Windows and Mac machines at risk of code execution holes but, inexplicably, there are no fixes for the RTSP bug that was publicly released as a zero-day last week.

Apple plugs QuickTime, iTunes, iPhone Security Holes


Here's the documentation from Apple:

* CVE-2008-0031--A memory corruption issue exists in QuickTime's handling of Sorenson 3 video files. This may lead to an unexpected application termination or arbitrary code execution. Affects Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2.

* CVE-2008-0032--A memory corruption issue exists in QuickTime's handling of Macintosh Resource records in movie files. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Affects Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2.

* CVE-2008-0033--A memory corruption issue exists in QuickTime's parsing of Image Descriptor (IDSC) atoms. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2.

* CVE-2008-0036--A buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. Affects Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2.

Apple also shipped iPhone v1.1.3 and iPod Touch v1.1.3 to add several new features announced at Macworld and also to address at least three security holes.

The skinny on these vulnerabilities, which affect iPhone v1.0 through v1.1.2 and iPod Touch v1.1 through 1.1.2:


* CVE-2008-0035--A memory corruption issue exists in Safari's handling of URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution.

* CVE-2008-0034--An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode.

* CVE-2007-5858--Visiting a maliciously crafted Web page could trigger a cross-site scripting attack, which may lead to the disclosure of sensitive information.

Posted by Ryan Naraine on January 15, 2008 4:31 PM

| Comments (0) | del.icio.us | digg.com | Trackback | Post a Comment
TrackBack

TrackBack

http://securitywatch.eweek.com/cgi-bin/mte/mt-tb.cgi/12470

Post a Comment

 
 


RSS Syndication

Breaking News

Advertisement

Apple

Browsers

Cisco

Corporate espionage

Disaster Planning

eBay

Exploits and Attacks

Flaws

Google

Identity Theft

Intrusion Detection/Prevention

Mergers and Acquisitions

Microsoft Windows

Open Source

Oracle

Patches

Phishing and Fraud

Privacy

Product Reviews

Rootkits

Spam

Virus and Spyware

Vulnerability Research

Advertisement
Security Watch     Contact Us | Advertise | Site Map
Ziff Davis Enterprise

Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
RSS Feeds | White Papers | ROI Calculators | Tech Podcasts | Tech Video |

Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
eWEEK | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
Publish | eWeek Security | Strategic Partner | Web Buyer's Guide | Windows for Devices

Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | IT Marketplace | igrep

Use of this site is governed by our Terms of Use and Privacy Policy

Copyright ©1996-2007 Ziff Davis Enterprise, Inc. All Rights Reserved. Security Watch is a trademark of Ziff Davis Enterprise, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
Ziff Davis Enterprise