Apple patches critical holes in QuickTime and iPhoto
Apple has released update 7.1.2 for iLife iPhoto, its digital photo album sharing tool, to remedy a critical vulnerability. Attackers can exploit a format string vulnerability in iPhoto to inject code onto a victim's system and execute it in the context of the user. However, for the attack to succeed the victim must be subscribed to a manipulated photocast. Users can find out when new images have been added to an album or a new album has been created via a subscription to an XML feed, so a malicious photocast could be offered to the unsuspecting user.
At the beginning of 2007, Apple had to release a security update for iPhoto to fix a vulnerability that was also caused by a format string error. That bug was in the functions provided by Apple's AppKit framework.
Apple has also released updates 7.4.1 for QuickTime to prevent buffer overflows from occurring in the handling of specially crafted HTTP replies from web servers. According to Apple's security advisory, these can be exploited to take down entire user systems if the user visits a manipulated website. The problem is related to RTSP tunneling.
In mid-January, Apple had to close four critical holes in QuickTime, one of which was also found in the RTSP handling code. Apple has provided the update for Windows XP SP2 (22 MB), Windows Vista (22 MB), Mac OS X v10.3.9 (50 MB), Mac OS X v10.4.9 (51 MB) and Mac OS X v10.5 (55 MB) for downloading. Users can also use QuickTime's update function.
- About the security content of QuickTime 7.4.1, Apple security advisory
- About the security content of iPhoto 7.1.2, Apple security advisory