Vulnerabilities within QuickTime?

[Sunnz]

On a FreeBSD mailing list, someone quoted Apple:

The Apple Security Team reports that there are multiple
vulnerabilities within QuickTime (one of the plugins for
win32-codecs). A remote attacker capable of creating a malicious SGI
image, FlashPix, FLC movie, or a QuickTime movie can possibly lead to
execution of arbitrary code or cause a Denial of Service (application
crash).

Users who have QuickTime (/win32-codecs) as a browser plugin may be
vulnerable to remote code execution by visiting a website containing a
malicious SGI image, FlashPix, FLC movie or a QuickTime movie.

Of course, they are most concerned with win32codecs on their OS...

So, what about OSX? Do we have this vulnerability in the pre-installed quicktime as well? Did Apple really announced this? Does anyone know if there is an official Apple Security Advisory list?

 

[fryke]

I'm not sure about this particular bug, but January 2007 _is_ "month of apple bugs" here -> http://projects.info-pull.com/moab/ ... Should be interesting.

Apple _does_ release information and security updates on this page: http://docs.info.apple.com/article.html?artnum=61798 ... There are links to updates and descriptions etc., although this, of course, only gets released when an update is available as well.

 

[Sunnz]

Hmm... aren't they the same people who "proved" MacBook's wireless vulnerability... not using the internal Airport but a 3rd party wifi card?

 

[Sunnz]

Anyway, found a link about QT 7.1.3 from Apple: http://docs.info.apple.com/article.html?artnum=304357

 

[fryke]

Even _if_ those are the same guys, doesn't make the bugs go away. I really hope Apple uses this "MOAB" thing for their own good, fixing things promptly and responding in a timely fashion.
So far, they've only kinda "welcomed" the MOAB. But nothing more about it.

 

[Sunnz]

Well, guess what? Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, comes to rescue!!!

http://landonf.bikemonkey.org/code/macosx

Basically he's gotta to squat each MOAB as they are released.

 

[fryke]

nice. ... although i _still_ hope that Apple will answer the MOAB appropriately. Maybe they can simply take the fixes and implement them, so they can release one security update at the end of the month.

 

[lurk]

I wonder about the ground rules on this though, Day 2 was a bug in VLC that is not really an Apple bug is it? I mean if that is the case we could fill up the rest of the month with Word alone ;-)

// Computer brand loyalty is teh kewl!

 

[Sunnz]

fryke, I see what you mean, now the fixes are already here a 10.4.9 shouldn't too hard.

On the other hand, the paranoid can patch their system (apps?) from Fuller as the bugs gets released.

Lurk, exactly, with word, they can probably go on and fill up the rest of 2007!!

 

[fryke]

10.4.9 is already in development, and I think new fixes won't make it into that build. A separate security update release would fit better.

 

[Captain Code]

Landon's fixes don't really fix anything, they just bypass the problem. It requires you use a program called Application Enhancer which allows his code to be injected into a running application like Quicktime. This code replaces the calls to the vulnerable functions with his own, does some validation to fix the flaw, and then calls the original function.

Not that this isn't a work around for the flaws, but it's not exactly a fix for Apple's code.

 

[Viro]

While it isn't a fix per se, it's much better than leaving your machine unpatched after the entire world has been alerted to the vulnerabilities affecting Apple machines. I suggest using Landon's fixes until Apple releases an official fix. Waiting till the end of the month before doing something about it doesn't sound safe to me