Apple fixes security bug identified in Mac hacker book
Tuesday, June 2, 2009
Apple released patches Monday for 10 security holes in QuickTime 7.6.2 for Windows 7 and Mac OS X and one patch for a flaw in iTunes 8.2. One of the flaws was previously disclosed in a hacker's manual published in March.
All of the critical vulnerabilities were described as allowing "arbitrary code execution," which if exploited could result in a hacker taking control of an infected PC or Mac. Apple does not rank its fixes by severity of vulnerability as do other software companies.
Security experts said the QuickTime vulnerabilities were primarily file format processing bugs, but included one flaw that was identified in a book released in March called The Mac Hacker's Handbook, written by IT security pros Charlie Miller and Dino Tai.
Miller said he put instructions in the book that would allow a reader to find the bug, although he did not show proof of concept, according to PC World.
"If you followed all the steps [in the book] you would find ... the bug," Miller told PC World yesterday. "I didn't show the bug, but I gave the recipe for how to find it."
The bug involves a flaw in the way QuickTime reads files that are compressed using the JPEG 2000 (JP2) standard.
Miller, who won a hacking contest at the Pwn2Own conference sponsored by Apple, gave the exploit code for the JP2 flaw to Apple's security team after he announced that it was partially revealed in his book, according to PC World.
Related News:
Small businesses need stronger web security - 3.11.2010
Cyber criminals have increased efforts to target the bank accounts of small businesses because they frequently do not have the web security measures in place that larger companies do, according to David Nelson of the Federal Deposit Insurance Corporation.
UK bankers struggle with online fraud - 3.11.2010
Online banking fraud cost bankers in the UK the equivalent of nearly $90 million in 2009, according business technology website Silicon.com.
Koobface changes as web security professionals prepare attack - 3.11.2010
As web security professionals attempt to take down Koobface, the cyber criminals that designed the malware strain have altered the virus to escape potential elimination, according the Register, a technology news website based in the UK.
Cyber criminals target web security with phony Windows update - 3.11.2010
As more people update from Windows Vista or Windows XP, cyber criminals have developed malware that takes advantage of people's desire to make the move, according to Computer Weekly.
Botnet activity diminished following ISP failure - 3.11.2010
The shutdown of internet service provider Troyak.org, a company based in Kazakhstan, resulted in the diminution of Zeus botnets on the web on Tuesday, according to Swiss web security blog Abuse.ch.
|
