Here’s something that may be buried in the crazy Macworld news cycle: Apple has shipped two high-priority (critical) security patches for the QuickTime, iPhone and iPod Touch products.
The QuickTime update covers at least four serious vulnerabilities that put Windows and Mac machines at risk of code execution holes but, inexplicably, there are no fixes for the RTSP bug that was publicly released as a zero-day last week.
Here’s the documentation from Apple:
“* CVE-2008-0031–A memory corruption issue exists in QuickTime’s handling of Sorenson 3 video files. This may lead to an unexpected application termination or arbitrary code execution. Affects Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2.* CVE-2008-0032–A memory corruption issue exists in QuickTime’s handling of Macintosh Resource records in movie files. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Affects Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2.* CVE-2008-0033–A memory corruption issue exists in QuickTime’s parsing of Image Descriptor (IDSC) atoms. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2.* CVE-2008-0036–A buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. Affects Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2.“
Apple also shipped iPhone v1.1.3 and iPod Touch v1.1.3 to add several new features announced at Macworld and also to address at least three security holes.
The skinny on these vulnerabilities, which affect iPhone v1.0 through v1.1.2 and iPod Touch v1.1 through 1.1.2:
“* CVE-2008-0035–A memory corruption issue exists in Safari’s handling of URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution.* CVE-2008-0034–An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode.* CVE-2007-5858–Visiting a maliciously crafted Web page could trigger a cross-site scripting attack, which may lead to the disclosure of sensitive information.“