Feeds

Apple patches security hole in QuickTime

QuickTime one of four popular apps currently at risk

Security for virtualized datacentres

Apple has patched a high-profile vulnerability in QuickTime eleven days after the flaw allowed a hacker to publicly hijack a brand new MacBook Pro. The Apple media player is just one of four popular applications suffering from security defects that currently require the urgent attention of those who use them.

The three other applications include Adobe Photoshop, the Winamp media player and Trillian, a client that combines the functionality of IRC, AOL Instant Messenger, MSN Messenger and other chat programs. Today's update from Apple means that two of the four applications have patches (Trillian's patched download is here.) Users who care about the security of their machines should install them promptly.

According to an advisory from Secunia, the current version of Winamp contains a flaw in the way the program handles MP4 files that could allow a booby-trapped file to execute arbitrary code on a victim's machine. Secunia rates the flaw highly critical, the site's second most serious rating. Until there is a patch, Winamp users may want to think twice about playing MP4 files unless absolutely sure they originated from reputable sources.

Secunia has also warned of at least two serious vulnerabilities in Photoshop that are also labeled highly critical. One flaw, a buffer overflow vulnerability, affects Adobe Photoshop CS2 and Adobe Photoshop CS3 and involves their handling of Bitmap files. The other affects the same two Photoshop versions as well as Adobe Photoshop Elements 5.x and leaves users open to attack if they open malformed PNG graphics files. Users are advised not to open untrusted PNG or Bitmap files pending the release of a security update from Adobe.

Version 3.1.5.0 of Trillian carries three vulnerabilities related to IRC that could allow for the interception of private conversations or the execution of code with the same privileges as the currently logged on user, according to iDefense Labs. The security provider didn't assign a rating to the vulnerabilities.

Apple describes the patched vulnerability in QuickTime for Java as an implementation issue that "may allow reading or writing out of the bounds of the allocated heap." By luring a victim to a malicious website, a miscreant could hijack a user's machine, Apple warns. The update is available for Mac and Windows platforms.

The QuickTime vulnerability was discovered by Dino Dai Zovi, who spent about nine hours to write code that exploited it and submitted it as part of a contest at the CanSecWest security conference. His discovery, first reported to affect Safari, was later shown to target QuickTime. In either case, the exploit allowed him to take control of a 15-inch MacBook Pro when it visited a website that hosted the malicious code. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Oi, Tim Cook. Apple Watch. I DARE you to tell me, IN PERSON, that it's secure
State attorney demands Apple CEO bows the knee to him
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Monitors monitor's monitoring finds touch screens have 0.4% market share
Not four. Point four. Count yer booty again, Microsoft
Hey, Mac fanbois. HGST wants you drooling over its HUGE desktop RACK
What vast digital media repository could possibly need 64 TERABYTES?
In a spin: Samsung accuses LG exec of washing machine SABOTAGE
Rival electronic giant tries to iron out allegations
Bono: Apple will sort out monetising music where the labels failed
Remastered so hard it would be difficult or impossible to master it again
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.