Apple fixes security bug identified in Mac hacker book
Tuesday, June 2, 2009
Apple released patches Monday for 10 security holes in QuickTime 7.6.2 for Windows 7 and Mac OS X and one patch for a flaw in iTunes 8.2. One of the flaws was previously disclosed in a hacker's manual published in March.
All of the critical vulnerabilities were described as allowing "arbitrary code execution," which if exploited could result in a hacker taking control of an infected PC or Mac. Apple does not rank its fixes by severity of vulnerability as do other software companies.
Security experts said the QuickTime vulnerabilities were primarily file format processing bugs, but included one flaw that was identified in a book released in March called The Mac Hacker's Handbook, written by IT security pros Charlie Miller and Dino Tai.
Miller said he put instructions in the book that would allow a reader to find the bug, although he did not show proof of concept, according to PC World.
"If you followed all the steps [in the book] you would find ... the bug," Miller told PC World yesterday. "I didn't show the bug, but I gave the recipe for how to find it."
The bug involves a flaw in the way QuickTime reads files that are compressed using the JPEG 2000 (JP2) standard.
Miller, who won a hacking contest at the Pwn2Own conference sponsored by Apple, gave the exploit code for the JP2 flaw to Apple's security team after he announced that it was partially revealed in his book, according to PC World.
Related News:
UK cops arrest two in Zbot Trojan case - 11.19.2009
The British Metropolitan Police took two suspected cyber criminals into custody earlier this month in connection with an investigation into the Zbot banking Trojan.
Facebook shakes up privacy policy in response to criticism - 11.19.2009
After a week-long comment period in which 7,000 Facebook users voiced their opinions, the giant social media network announced that it would overhaul and simplify its privacy policy.
Domain registrar VeriSign will receive "major security update" by 2011 - 11.19.2009
A well-known security vulnerability in the way .com and .net websites process DNS values - the way alphanumeric website names are translated into numeric web addresses - will be fixed, but not until 2011, according to a report from tech news website ZDNet.
Malware attack targeting fans of Twilight series - 11.18.2009
As with many recent hot news trends, the upcoming release of the second movie based on Stephenie Meyer's Twilight books has attracted the attention not just of the vampire wannabes, but of actual cyber criminals as well.
Giant black-hat SEO campaign funnels victims to scareware sites - 11.18.2009
Security researchers say that cyber criminals have conducted a large-scale campaign to influence Google results, pushing malware-spreading sites higher on the list and dropping legitimate results to the bottom.
|
