Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Apple updates iTunes+QuickTime InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Apple updates iTunes+QuickTime

Published: 2008-09-09
Last Updated: 2008-09-09 20:28:34 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Following the media event announcing new gadgets, predictably, iTunes and QuickTime got updated. A bit of a surprise is that those upgrades also have a number of security fixes incorporated.

The QuickTime update to 7.5.5 refers to following CVE names:  CVE-2008-3615, CVE-2008-3635, CVE-2008-3624, CVE-2008-3625, CVE-2008-3614, CVE-2008-3626, CVE-2008-3627, CVE-2008-3628, CVE-2008-3629

When apple is ready the description of the security part should end up here: http://www.info.apple.com/kbnum/n61798

All of them are relating to opening "crafted" media files. Read: it's the typical list of input validation failures leading to code execution. You want this one if you have QuickTime installed.

The iTunes 8.0 update references following CVE names: CVE-2008-3634, CVE-2008-3636.

The first one is interesting: it deals with an update of the text to not say that changing firewall settings doesn't affect security. The second allows local privilege escalation in the windows version. Compared to the QuickTime upgrade, this is less urgent in most environments.

--
Swa Frantzen -- Section 66

0 comment(s)
Diary Archives