Friday, January 26, 2007

Apple QuickTime flaw

Apple on Tuesday posted Security Update 2007-001, which fixes a problem first brought to light earlier this month by the Month of Apple Bugs project.

The update has been distributed in separate downloads for Mac OS X v10.3 “Panther” and Mac OS X v10.4 “Tiger” users. It can also be downloaded through the Software Update system preference.

The update corrects a problem involving QuickTime 7.1.3 running on Mac OS X v10.3.9, Mac OS X Server v10.3.9 and higher, as well as Windows XP/2000.

“A buffer overflow exists in QuickTime’s handling of RTSP URLs,” explained Apple in a tech note posted to its Web site. “By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution.”

“This update addresses the issue by performing additional validation of RTSP URLs,” said Apple.

Apple notes that a QTL file that triggers this problem was posted to the Web site of the “Month of Apple Bugs” project.

Your Ad Here