Apple has released a QuickTime security update to address "highly critical" security flaws in its media player that could allow malicious attackers to take control of a user's system.
The security flaws affect QuickTime 7 versions running on the Mac OS X and Windows. Users are advised to update to QuickTime 7.4.5, according to an Apple advisory issued Wednesday.
Apple issued 11 security updates designed to prevent malicious attackers from disclosing users' sensitive information, executing arbitrary code, or causing an application to suddenly crash.
Users can be hit with such evil dealings when visiting a Web site rigged with malicious Java applets, view a tampered movie file or open a malicious PICT image file, according to the advisory.
Lovely, eh?
For those who want to delve deeper into the nitty gritty details of the vulnerabilities check out TippingPoint Zero Day Initiative, which discovered some of these flaws, as well as security researcher Secunia, which lists all 11 updates.
The Apple QuickTime zero-day exploits are also targeting systems running Apple Safari 3.0 on Windows, Firefox, and Microsoft's Vista, XP, Internet Explorer 6, and IE7,
SANS also reminded people to undo the workarounds once Apple develops a patch for the security problem. Otherwise, the QuickTime streams won't work on your system.
Security researchers are warning that exploit code has been published that can take advantage of an extremely critical security flaw in a protocol supported by Apple QuickTime.
Apple QuickTime versions 7.2 and 7.3 on Microsoft Windows Vista and Windows XP Pro SP2 are both affected, according to an advisory originally posted on Milw0rm.com.
And because Apple's iTunes contains a component of QuickTime, installations of iTunes are also at risk, according to a security advisory by the United States Computer Emergency Readiness Team (US-CERT).
The security flaw is found in the Real Time Streaming Protocol (RTSP) supported by Apple's QuickTime Streaming Server and QuickTime player, US-CERT notes. As a result, users who load a malicious RTSP stream via a QuickTime Media Link file or by visiting a malicious Web page, may find their systems compromised. Malicious attackers, for example, could execute arbitrary code from users' systems or launch a denial-of-service attack.
Earlier this month, Apple released QuickTime 7.3 to address seven security flaws in QuickTime 7.2. The fixes, however, did not deal with the RTSP vulnerability cited by security researchers over the past three days.
US-CERT is recommending users consider several workarounds to potentially minimize exposure to the RTSP vulnerabilities. The workarounds include disabling QuickTime ActiveX controls on Internet Explorer, QuickTime plug-ins for Mozilla-based browsers, JavaScript, and file association for QuickTime files. Other suggestions include avoiding QuickTime files that come from untrusted sources.
Security firm Secunia has rated the vulnerability "extremely critical."
On Wednesday, Cisco Systems issued 10 security updates--three of which address vulnerabilities that can cause "moderate" damage to users' systems.
Although Cisco lists the security flaws as "moderate," it ranks them a "4" on its 5-point severity scale. And in two of the three cases, attackers could gain access without the need to authenticate their identity.
Various versions of the Cisco CallManager and IOS products contain the security flaws, according to Cisco's security advisory.
The Cisco CallManager and IOS products contain security flaws that relate to processing malformed Session Initiation Protocol (SIP) packets. The packets, which are used to create and manage communications in such applications as VoIP and teleconferencing, could trigger a denial-of-service attack as they attempt to handle malicious SIP packets.
Security flaws were also found in Cisco IOS relating to its Next Hop Resolution Protocol packets, as well as its secure copy server operations in some versions of IOS.
Cisco issued an update for numerous versions of IOS, in an effort to patch a security flaw within its Next Hop Resolution Protocol packets and their boundary checking parameters. Malicious attackers could exploit the vulnerabilities by sending a malicious packet to users' systems, triggering a buffer overflow attack.
In the case of the secure copy (SCP) server flaws, an authenticated remote attacker could exploit a flaw in certain versions of Cisco IOS. The vulnerabilities are a result of insufficient enforcement of access restrictions, when performing secure copy operations within IOS. As a result, attackers with minimal read-access privileges could perform SCP operations as though they had maximum privileges.
Adobe Systems this week issued three critical security updates designed to address vulnerabilities in its Flash Player, according to a security advisory issued by the company.
Adobe Flash Player 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms, are affected.
Users loading a malicious vector graphics file format (SWF) in their Flash Player may find attackers exploiting security flaws due to an input validation error in 9.0.45.0 and earlier versions, according to a security advisory by Secunia. Attackers, as a result, can gain remote access to a user's system.
In versions 7.0.69.0 and earlier running on Linux and Solaris, malicious attackers could exploit an error in the interaction between the Flash Player with certain browsers. As a result, that could potentially lead to a leaking of key strokes to a Flash Player applet, Secunia noted. Flash Player 9 is not affected.
Versions 8.0.34.0 and earlier contain a bug due to insufficient validation of the HTTP referer. As a result, an attacker could execute a cross-site forgery attack. Flash Player 9, however, is not affected.
Adobe recommends that 9.0.45.0 users upgrade to 9.0.47.0 for Windows, Mac and Solaris, or 9.0.48.0 for Linux.
Adobe Flash Player 9 is the recommended solution for the other two versions that contain security flaws.
UPDATE: Blame them both.
That's the latest update from security researchers who initially laid the blame on Microsoft's Internet Explorer for the latest zero-day exploit that also can afflict those using the Firefox Web browser.
Users could face a "highly critical" risk if they have both IE and Firefox version 2.0, or later, loaded on their computer. The trouble begins when browsing a malicious site while using IE and it registers a "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web. As a result, users may find their systems remotely compromised.
Earlier Tuesday, security researcher Thor Larholm, who discovered the IE flaw, and security research giant Symantec put much of the blame on IE, while Secunia's Thomas Kristensen, chief technology officer, attributed the problem to Firefox versions 2.0 or later.
"It's a little bit of both," said Oliver Friedrichs, director of Symantec's Security Response Center. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."
"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping...characters when passing on the input to the command line," said Larholm, in response to a reader's comments. "I agree that Firefox could have registered its URL handler with pure DDE (dynamic data exchange, the protocol for information exchange) instead and thereby have avoided the possibility of a command-line argument injection, but IE should still be able to safely launch external applications."
Friedrichs noted that while Firefox, which released version 2 in October, has gained in popularity, most Firefox users will also have IE loaded on their computers, since it comes with the Windows operating system.
The number of people who may be at risk could be substantial, he added.
Meanwhile, Kristensen of Secunia said: "A new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the 'firefoxurl://' URI was called, like ftp://, http://, or similar would call other applications."
But because of the way the URI handler was registered by Firefox, it causes any parameter--which activates a program to perform a particular task--to be passed from Microsoft's Internet Explorer, or another application, to Firefox, when firefoxurl:// is activated.
An attacker may use "chrome" context--the interface elements of a browser that create the frame around its page displays--to inject code on a user's system that would be executed within Firefox, Kristensen said.
"Registering the URI handler must be done with care, since Windows does not have any proper way of knowing what kind of input potentially could be dangerous for an application," said Kristensen. "For example, how should Windows know that the string 'chrome' could be dangerous for Firefox."
Other than avoiding malicious Web sites, system administrators could unregister, or remove, the "Firefox URL" URI handler, as well as change the way Firefox accepts the chrome input, Kristensen said.
A number of highly critical security flaws have been found in the latest version of Yahoo Messenger, which could allow attackers to gain remote access to users systems, according to a security advisory issued by eEye Digital Security.
The vulnerabilities affect Yahoo Messenger versions 8.1 and 8.0, running on Windows, eEye stated in its "upcoming advisories."
Although eEye does not disclose extensive details about vulnerabilities until the respective vendor develops a patch, the security researcher did note the Yahoo IM flaws requires little user interaction for an attacker to exploit the vulnerabilities.
"It's the classic bug. Instead of targeting your network or perimeter, it can target your desktop or client applications," said Marc Maiffret, eEye founder and chief technology officer. "Most companies are heavily dependent on perimeter security, but this is a case where network firewalls and intrusion prevention won't be enough."
Currently, no zero-day exploits exist, Maiffret said, who noted eEye informed Yahoo about the vulnerabilities Tuesday.
One potential workaround is eEye's Blink Personal security suite, which is free for the first year.
Yahoo, meanwhile, said it is currently working on a patch for the vulnerabilities.
"We recently learned of a buffer overflow security issue in an ActiveX control. This control is part of the code for webcam image upload and viewing. Upon learning of this issue, we began working towards a resolution and expect to have a fix shortly," said Terrell Karlsten, a Yahoo spokesman.
The critical vulnerabilities are the latest to hit Yahoo Messenger. Last April, Yahoo fixed a security flaw in its audio conferencing feature in its instant messenger.
And in December, Yahoo issued a security fix for its Messenger versions 5.0 through 8.0. That patch was designed to address a security flaw found in the ActiveX control, a component of Yahoo's services suite that typically downloads the Messenger installer.
Just a few days ago, Opera Software was singing the blues.
It turned out that unsavory attackers could craft malicious torrent files, which, in turn, could lead to a buffer overflow in Opera for Microsoft Windows users, according to Opera's security advisory.
And that's not a good thing.
These attackers could inject arbitrary code into users' systems, if they right clicked on a torrent entry in the transfer manager, resulting in a buffer overflow. Fortunately, for some, simply clicking on a torrent link would not trigger the vulnerability.
Opera, which was notified of the flaw on May 8 by security research firm iDefense, dashed out a fix Monday with its 9.21 security update.
- prev
- 1
- next
