Flaws Hit QuickTime, iTunes

Attention Apple users: Step away from reading about MacWorld,
put down your iPods and update your QuickTime software now to prevent a
hacker from taking over your system.

There are five highly critical flaws in Apple’s QuickTime application
that affect both Apple and Windows versions, as well as Apple’s
popular iTunes application.

The flaws all relate to image-handling issues inside of QuickTime.
CVE-2005-2340 is described by security firm Secunia as, “a boundary error in
the handling of QTIF images [that] can be exploited to cause a heap-based buffer
overflow.” Such a buffer overflow could allow an attacker to execute
arbitrary code.

CVE-2005-3707, CVE-2005-3708 and CVE-2005-3709 involve the TGA image file
format that, when viewed, could also result in arbitrary code execution.
CVE-2005-3710 and CVE-2005-3711 are similar flaws but related to the TIFF
file format. CVE-2005-3713 affects GIFs.

CVE-2005-4092 is described by Secunia as, “a boundary error in the
handling of certain media files [that] can be exploited to cause a heap-based
buffer overflow.” Again the potential impact is arbitrary code execution
when a malicious media file is viewed.

According to Security firm eEye, which claims credit for discovery of a
number of the vulnerabilities, QuickTime users aren’t the only ones at risk. Users of iTunes are also at risk due to its tight integration with
QuickTime and, as such, “all of these security issues are also exploitable
via the iTunes software.”

“Most IT departments probably saw Apple’s security update and thought
‘that’s a consumer application, I don’t have to worry about security
policies for that.’ Those IT departments would be mistaken,” said Marc
Maiffret, eEye’s co-founder and chief hacking officer in a statement.

“There
are few people that have not seen a co-worker with an iPod wandering the
halls of their organization and those iPods probably mean iTunes is on your
network.”


Apple has provided an update for QuickTime
that patches all the currently publicly disclosed vulnerabilities.

News Around the Web