Feeds

Apple patches security hole in QuickTime

QuickTime one of four popular apps currently at risk

Mobile application security vulnerability report

Apple has patched a high-profile vulnerability in QuickTime eleven days after the flaw allowed a hacker to publicly hijack a brand new MacBook Pro. The Apple media player is just one of four popular applications suffering from security defects that currently require the urgent attention of those who use them.

The three other applications include Adobe Photoshop, the Winamp media player and Trillian, a client that combines the functionality of IRC, AOL Instant Messenger, MSN Messenger and other chat programs. Today's update from Apple means that two of the four applications have patches (Trillian's patched download is here.) Users who care about the security of their machines should install them promptly.

According to an advisory from Secunia, the current version of Winamp contains a flaw in the way the program handles MP4 files that could allow a booby-trapped file to execute arbitrary code on a victim's machine. Secunia rates the flaw highly critical, the site's second most serious rating. Until there is a patch, Winamp users may want to think twice about playing MP4 files unless absolutely sure they originated from reputable sources.

Secunia has also warned of at least two serious vulnerabilities in Photoshop that are also labeled highly critical. One flaw, a buffer overflow vulnerability, affects Adobe Photoshop CS2 and Adobe Photoshop CS3 and involves their handling of Bitmap files. The other affects the same two Photoshop versions as well as Adobe Photoshop Elements 5.x and leaves users open to attack if they open malformed PNG graphics files. Users are advised not to open untrusted PNG or Bitmap files pending the release of a security update from Adobe.

Version 3.1.5.0 of Trillian carries three vulnerabilities related to IRC that could allow for the interception of private conversations or the execution of code with the same privileges as the currently logged on user, according to iDefense Labs. The security provider didn't assign a rating to the vulnerabilities.

Apple describes the patched vulnerability in QuickTime for Java as an implementation issue that "may allow reading or writing out of the bounds of the allocated heap." By luring a victim to a malicious website, a miscreant could hijack a user's machine, Apple warns. The update is available for Mac and Windows platforms.

The QuickTime vulnerability was discovered by Dino Dai Zovi, who spent about nine hours to write code that exploited it and submitted it as part of a contest at the CanSecWest security conference. His discovery, first reported to affect Safari, was later shown to target QuickTime. In either case, the exploit allowed him to take control of a 15-inch MacBook Pro when it visited a website that hosted the malicious code. ®

Boost IT visibility and business value

More from The Register

next story
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
For Lenovo US, 8-inch Windows tablets are DEAD – long live 8-inch Windows tablets
Reports it's killing off smaller slabs are greatly exaggerated
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Microsoft unsheathes cheap Android-killer: Behold, the Lumia 530
Say it with us: I'm King of the Landfill-ill-ill-ill
Seventh-gen SPARC silicon will accelerate Oracle databases
Uncle Larry's mutually-optimised stack to become clearer in August
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
Bigger, harder trouser bulges foretold for fanbois
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.