14 DAY TRIAL // Included in the slew of software updates released by Apple (just as soon as Steve Jobs ended his keynote address in San Francisco) are also some patches addressing security issues in the company's iTunes and QuickTime Mac apps, but also in the iPod touch OS. Read on to learn about some of the vulnerabilities each update addresses.
It has been revealed that iTunes 8.0 not only brings hefty new features, but also resolves some security issues, particularly a vulnerability that results in an erroneous Firewall warning dialogue. Windows users of Apple's media player app received a fix addressing issues with system privileges.
QuickTime 7.5.5 lists some 9 security issues for both Mac and Windows users. Two of the vulnerabilities discovered on the Mac side say that viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution, and that opening a maliciously crafted PICT image may lead to an unexpected application termination. Their official descriptions (from Apple's Support page) are available below.
Description: A heap buffer overflow exists in QuickTime's handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of panorama atoms. Credit to Roee Hay of IBM Rational Application Security Research Group for reporting this issue. Description: An out-of-bounds read issue exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination. This update addresses the issue by performing additional validation of PICT images. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.
Lastly, iPod touch users have been granted the 2.1 update ahead of iPhone owners worldwide, who will receive it on Friday. Where the iPod touch is concerned, Apple has introduced a few fixes related to CoreGraphics, mDNSResponder, networking, WebKit, and the Application Sandbox environment. Session highjacking, arbitrary code execution, DNS cache poisoning, and improper handling of files are the main issues that could occur with iPod touch units.
All three updates are available as of today. While Mac owners can grab the iTunes 8 and QuickTime 7.5.5 updates for free, iPod touch users will need to pay $9.95 for their respective update. Thumbnail image credits: contractsecurity