Apple releases new QuickTime versionIn addition to its announcement of a new iPhone, Apple has also released a new version of its QuickTime software. The reason? To fix several nagging problems related to security concerns. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the Danish security research organization Secunia, the new release, version 7.5, claims to fix such vulnerabilities as:A boundary error An invalid value entered into an application. For example, if a number is higher or lower than a range of values or there are too many characters in a text entry, a boundary error occurs. See validity checking. when parsing See parse. parsing - parser packed scanlines from a PixData structure in a PICT file can be exploited to cause a heap-based buffer overflow A common cause of malfunctioning software. If the amount of data written into a buffer exceeds the size of the buffer, the additional data will be written into adjacent areas, which could be buffers, constants, flags or variables. via a specially crafted PICT file. An error in the processing of AAC-encoded media content can be exploited to cause a memory corruption Memory corruption happens when content of a memory location are unintentionally modified due to programming errors. When the corrupted memory contents are used later in the computer program, it leads either to program crash or to strange and bizarre program behavior. via a specially crafted media file. A boundary error in the processing of PICT files can be exploited to cause a heap-based buffer overflow via a specially crafted PICT file. A boundary error in the processing of Indeo video codec (1) A hardware circuit that converts analog video (NTSC, PAL, SECAM) into digital code and vice versa. The term may refer to only the A/D and D/A conversion, or it may include the compression technique for further reducing the signal (definition #2 below). See codec. content can be exploited to cause a stack-based buffer overflow via a specially crafted movie file with Indeo video codec content. An error in the handling of "file:" URLs can be exploited to, e.g., execute arbitrary programs when playing specially crafted QuickTime content in QuickTime Player The media player software that comes with QuickTime for the Mac and Windows. See QuickTime. . Secunia said that successful exploitation of these vulnerabilities may allow execution of arbitrary code - meaning that a hacker could take control of a user's PC Said Cameron Hotchkies, security researcher with TippingPoint's DVLabs, “Usually the security vulnerabilities in QuickTime are buffer overflows or integer overflows that are file-parsing related or size-related issues in the internal file format. So a buffer overflow as a security vulnerability is not that uncommon.” QuickTime has been the source of multiple bugs this year. Apple earlier this year released an update to the media player that addressed 11 vulnerabilities. Four patches were issued in January. “A lot of people are looking into the QuickTime format recently, going over it with a fine-tooth comb, trying to pick out as many vulnerabilities as they can," Hotchkies said. 
|
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion