Monday, April 23, 2007

Patched Apple Flaws and New Quicktime Flaw Impacts Windows and Mac

Apple's been in the crosshairs recently. Last week they released their fourth security update of the year fixing 25 separate security issues. Several of the fixes are related to file format flaws announced in the Month of Apple Bugs in January. Others allow local privilege escalation.

Possibly the most serious issue is with the RPC runtime (libinfo) library used by services such as NFS. Mu Security has provided some very specific details on the flaw and for machines that are running NFS, the information may be enough for an attacker to create an exploit.

Although we haven't seen any exploits for any of these vulnerabilities, all Mac users should update before exploits start hitting the 'net.

On a related note, security researcher Dino Dai Zovi won a $10,000 bounty when he found a flaw and wrote an exploit to hack into a fully patched Mac laptop. We now know that the flaw he found was actually in the Quicktime application and can be exploited in various browsers and on various operating systems including both OS X and Windows. Exploitation of this flaw requires the user to browse to a malicious website. There is no fix for the flaw at this time, but disabling Java in your browser should protect you. If you don't regularly use Java Applets when browsing websites (I can't remember the last time I came across a website that required it) you should go to your preferences or options and disable it right now.

No comments: