Two days ago, Apple released iPhoto 7.1.2 to patch a format string vulnerability that was found and reported by Ernst & Young researcher Nate McFeters.
The language in the advisory from Apple sounds pretty scary:
“A format string vulnerability exists in iPhoto. By enticing a user to subscribe to a maliciously crafted photocast, a remote attacker may cause arbitrary code execution. This update addresses the issue through improved handling of format strings when processing photocast subscriptions.“
Whenever I see remote and code execution in the same sentence, I get nervous.
I’ve been hitting Software Update repeatedly on my MacBook for the last 36 hours and here’s what Apple tells me:
I’m running iPhoto 6.0.6 (322) on this machine so this is definitely an out-of-date version of the software. What gives?
While I’m at it, what’s the status of the one-month-old QuickTime RTSP flaw that also brings code execution risk?
UPDATE: Turns out this update is only available for iPhoto ’08 7.1 (iLife ’08). I’m running iLife ’06 (6.0.x), and therefore, a fix isn’t available for me.
Problem is, I don’t know for sure (does Apple?) that iLife ’06 isn’t affected.
ANOTHER UPDATE: Via Twitter, Rich Mogull has a better explanation:
“It’s a web gallery vuln, which isn’t a feature in iPhoto 6.“
Phew. I’m now thinking Apple’s bulletins desperately need a “not affected” section.