14 DAY TRIAL // Despite many people saying that Apple doesn't take security as seriously as it should, Apple continues to deliver security updates in a very timely manner, closing up holes before exploits for them can be found out in the wild. On Tuesday, Apple released Security Update 2007-004 v1.1, AirPort Extreme Update 2007-003 and a QuickTime 7.1.6 update.
All three updates fix issues and improve the security of various system components, and are recommended for all users.
Of particular interest is the QuickTime update, that fixes the much talked about exploit used in the "PWN to OWN" competition. The issue, that was initially reported as browser-related was later revealed to be in the way that QuickTime interacts with Java, and thus being both browser and platform independent.
According to the update notes:
An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional bounds checking when creating QTPointerRef objects. Credit to Dino Dai Zovi working with TippingPoint and the Zero Day Initiative for reporting this issue.
The QuickTime update is available for both Mac OS X and Windows, while the other two are for OS X only. Many security experts have accused Apple of being slow to react to vulnerabilities and close holes in their software, but the speed with which Apple issued this update speaks for itself, especially considering that they have updates both for OS X and Windows.
Despite the vulnerability being potentially serious, there was no exploit in the wild for it, and now it has been patched. Users who disabled Java to avoid any possible issues can turn it safely back on after updating.