43 Flaws Fixed in Mac OS X, QuickTime

Apple ships two separate updates to fix serious code execution holes affecting Mac OS X and the QuickTime media player.

Apple Computers security update train rumbled into the station late May 11 with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities.

The companys Security Update 2006-003 patches 31 flaws in the Mac OS X, most of them serious enough to cause "arbitrary code execution attacks."

Apple also shipped QuickTime 7.1 as a major security overhaul to correct 12 code execution and denial-of-service flaws.

The Mac OS X mega update includes patches for Apples flagship Safari browser and Mail client.

According to the advisory, the Safari fix covers a flaw that could allow file manipulation or code execution if a user is lured to a maliciously rigged Web site.

In Mail, Apple said the bug could allow harmful code execution if a user is tricked into viewing a malicious e-mail message.

/zimages/1/28571.gifTo read more about QuickTime code execution flaws, click here.

"By preparing a specially crafted e-mail message with MacMIME encapsulated attachments, an attacker may trigger an integer overflow. This may lead to arbitrary code execution with the privileges of the user running Mail," the company said.

The Mac OS X update also fixes code execution vulnerabilities in AppKit, ImageIO, BOM, CFNetwork, ClamAV, CoreFoundation, Finder, FTPServer, FlashPlayer, LaunchServices, libcurl, Preview, QuickDraw and QuickTime Streaming Server.

In the QuickTime 7.1 update, Apple ships 12 fixes for "application crash or arbitrary code execution" vulnerabilities.

The QuickTime bugs can allow a malicious hacker to launch successful attacks using different vectors; a specially crafted JPEG image; rigged QuickTime movies; specially created Flash, MPEG4 or H.264 movies; or maliciously crafted FlashPiX or BMP images.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest news, reviews and analysis on Apple in the enterprise.