Multiple Apple updates deliver security patches as well as new features

Stephen Withers
Wednesday, 10 September 2008 06:56

Your IT - Home IT

Microsoft wasn't the only company to have a Patch Tuesday this month. Updates from Apple include security fixes for widely used software including QuickTime and iTunes. As in the Windows updates, several of the issues addressed by Apple concern malformed media files.

Apple released new versions of iTunes, QuickTime and Front Row for Mac OS X, and of iTunes, QuickTime, MobileMe Control Panel, and Bonjour for Windows.

From a security perspective, the change in iTunes 8.0 for Mac was primarily cosmetic: a warning dialog has been changed to clarify the effect of unblocking iTunes Music Sharing in the firewall.

The fix in the Windows version involves an unspecified third-party driver and an integer overflow that can be exploited by a local user to gain system privileges.

If you're in a situation where local privilege escalations are a concern, you probably don't let people install or run iTunes.

QuickTime is even more widely used, for example by cross-platform multimedia packages. Version 7.5.5 fixes several Windows-specific flaws that can be exploited with maliciously crafted Indeo or PICT files.

Cross-platform flaws can be exploited with maliciously crafted QTVR, H.264, PICT or movie files.

All of the QuickTime flaws can result in the failure of an application; all but one have the potential to allow the execution of arbitrary code.

Bonjour for Windows 1.0.5 provides better checking of DNS labels to avoid a denial of service attack using maliciously crafted .local domain names, and applies source port and transaction ID randomisation to reduce the risk of spoofed information being delivered for unicast DNS queries.

Apple notes "there are no known applications that use the Bonjour APIs for unicast DNS hostname resolution."

What else is new? Find out on page two.