Apple's vulnerability patch count: 10 QuickTime, 1 iTunes, 0 Java
Is Cupertino straining at gnats while much larger objects float in the punchbowl? Security professionals might wonder, as Apple on Monday released a 7.6.2 update to QuickTime that patches ten security holes in that player. The notorious Java hole reported last year and exploited at pwn2own in February remained untouched.
Many of the patches address -- what else? -- buffering issues. A problem brought to Apple's attention by a researcher working with TippingPoint's Zero Day Initiative, in which a heap buffer overflow could be triggered by a maliciously crafted FLC file, has been addressed. Compressed PSD files could also be used to trigger a buffer overflow; that's been taken care of. (Another score for the Zero Day Initiative, by the way, which gets full or partial credit for six vulnerabilities addressed this time around.) Heap buffer overflow issues with MS ADPCM-encoded movie files, CRGN (Clipping Region) atom types in movie files, and JP2 files also met their makers.
A memory-corruption issue in QuickTime's handling of Sorenson 3 (video) files has been addressed, as have two problems with QuickTime's handling of PICT images. There was a sign extension issue in QuickTime's handling of image description atoms that Apple addressed by improving validation for that code, and one that could trigger a application crash or even arbitrary code execution if the user data atom size equaled zero.
Eight of the patches apply to both Mac OS X (v. 10.4.11 and later) and Windows users, while two -- the CGRN problem and an integer-underflow error addressed in one of the PICT-related patches -- are strictly for users of XP SP3 and Vista.
Apple also released an iTunes update today, raising the version number to 8.2. The upgrade included one security fix, which addressed a stack buffer overflow issue that could be triggered if the user were to visit a maliciously crafted "itms:" URL. The problem, which has been patched with better bounds checking, could have led to an iTunes crash or to unwanted code execution.