Apple patches QuickTime and Bonjour
Apple has released version 7.5.5 of its QuickTime framework which fixes nine security vulnerabilities. The company classifies eight of these as critical, as they can be exploited to inject and execute code on vulnerable systems. One of the bugs is present only in the Windows version.
The bugs are the result of integer, buffer and heap overflows and memory errors in, for example, the Indeo codec or parsers for processing QTVR (QuickTime Virtual Reality) and H.264 encoded films or PICT images. A successful attack merely requires the victim to open a specially crafted file. The update is available to download for Windows Vista, XP SP2 and SP3, Mac OS X v10.4.9 to v10.4.11 and Mac OS X v10.5.x.
Apple has also released update 1.0.5 for the Windows version of its Bonjour network service. The update fixes two vulnerabilities. The first relates to the infamous cache poisoning problem, to which mDNSResponder is also vulnerable. The second vulnerability enables an attacker to crash the mDNSResponder using crafted .local domain names. The update is available for Windows Vista, XP SP2 and SP3, Server 2003 and 2000.
In addition, Apple has also released information on the security vulnerabilities fixed in iTunes 8.0 and in the new iPod Touch firmware. Five vulnerabilities have been fixed in iPod Touch, of which one, in WebKit, can be exploited for code injection. In iTunes there are just two non-critical vulnerabilities.
See also:
- About the security content of QuickTime 7.5.5, Report from Apple
- About the security content of Bonjour for Windows 1.0.5, Report from Apple
- About the security content of iPod touch v2.1, Report from Apple
- About the security content of iTunes 8.0, Report from Apple
(trk)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
