eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Two days ago, Apple released iPhoto 7.1.2 to patch a format string vulnerability that was found and reported by Ernst & Young researcher Nate McFeters.
The language in the advisory from Apple sounds pretty scary:
“A format string vulnerability exists in iPhoto. By enticing a user to subscribe to a maliciously crafted photocast, a remote attacker may cause arbitrary code execution. This update addresses the issue through improved handling of format strings when processing photocast subscriptions.“
Whenever I see remote and code execution in the same sentence, I get nervous.
[ALSO SEE: QuickTime Under Seige: Another Zero Day Exploit Released]
I’ve been hitting Software Update repeatedly on my MacBook for the last 36 hours and here’s what Apple tells me:
I’m running iPhoto 6.0.6 (322) on this machine so this is definitely an out-of-date version of the software. What gives?
While I’m at it, what’s the status of the one-month-old QuickTime RTSP flaw that also brings code execution risk?
UPDATE: Turns out this update is only available for iPhoto ’08 7.1 (iLife ’08). I’m running iLife ’06 (6.0.x), and therefore, a fix isn’t available for me.
Problem is, I don’t know for sure (does Apple?) that iLife ’06 isn’t affected.
ANOTHER UPDATE: Via Twitter, Rich Mogull has a better explanation:
“It’s a web gallery vuln, which isn’t a feature in iPhoto 6.“
Phew. I’m now thinking Apple’s bulletins desperately need a “not affected” section.
Also see: Technical details on the bug from Nate McFeters.