Security Watch

Keeping Track of patches and hacks in the IT security world.

Hey Apple, Where's my iPhoto Security Patch?

Two days ago, Apple released iPhoto 7.1.2 to patch a format string vulnerability that was found and reported by Ernst & Young researcher Nate McFeters.

The language in the advisory from Apple sounds pretty scary:

"A format string vulnerability exists in iPhoto. By enticing a user to subscribe to a maliciously crafted photocast, a remote attacker may cause arbitrary code execution. This update addresses the issue through improved handling of format strings when processing photocast subscriptions."

Whenever I see remote and code execution in the same sentence, I get nervous.

[ALSO SEE: QuickTime Under Seige: Another Zero Day Exploit Released]

I've been hitting Software Update repeatedly on my MacBook for the last 36 hours and here's what Apple tells me:

Hey Apple, Where's my iPhoto Patch?

I'm running iPhoto 6.0.6 (322) on this machine so this is definitely an out-of-date version of the software. What gives?

While I'm at it, what's the status of the one-month-old QuickTime RTSP flaw that also brings code execution risk?

UPDATE: Turns out this update is only available for iPhoto '08 7.1 (iLife '08). I'm running iLife '06 (6.0.x), and therefore, a fix isn't available for me.

Problem is, I don't know for sure (does Apple?) that iLife '06 isn't affected.

ANOTHER UPDATE: Via Twitter, Rich Mogull has a better explanation:

"It's a web gallery vuln, which isn't a feature in iPhoto 6."

Phew. I'm now thinking Apple's bulletins desperately need a "not affected" section.

Also see: Technical details on the bug from Nate McFeters.