Flaws Hit QuickTime, iTunes Five Highly Critical Flaws Patched Sean Michael Kerner
Attention Apple users: Step away from reading about MacWorld, put down your iPods and update your QuickTime software now to prevent a hacker from taking over your system.
There are five highly critical flaws in Apple's QuickTime application that affect both Apple and Windows versions, as well as Apple's popular iTunes application.
The flaws all relate to image-handling issues inside of QuickTime. CVE-2005-2340 is described by security firm Secunia as, "a boundary error in the handling of QTIF images [that] can be exploited to cause a heap-based buffer overflow." Such a buffer overflow could allow an attacker to execute
arbitrary code.
CVE-2005-3707, CVE-2005-3708 and CVE-2005-3709 involve the TGA image file format that, when viewed, could also result in arbitrary code execution. CVE-2005-3710 and CVE-2005-3711 are similar flaws but related to the TIFF file format. CVE-2005-3713 affects GIFs.
CVE-2005-4092 is described by Secunia as, "a boundary error in the handling of certain media files [that] can be exploited to cause a heap-based buffer overflow." Again the potential impact is arbitrary code execution when a malicious media file is viewed.
According to Security firm eEye, which claims credit for discovery of a number of the vulnerabilities, QuickTime users aren't the only ones at risk. Users of iTunes are also at risk due to its tight integration with QuickTime and, as such, "all of these security issues are also exploitable via the iTunes software."
"Most IT departments probably saw Apple's security update and thought 'that's a consumer application, I don't have to worry about security policies for that.' Those IT departments would be mistaken," said Marc Maiffret, eEye's co-founder and chief hacking officer in a statement.
"There are few people that have not seen a co-worker with an iPod wandering the halls of their organization and those iPods probably mean iTunes is on your network."
Apple has provided an update for QuickTime that patches all the currently publicly disclosed vulnerabilities.
