Apple warns of Mac attack risk via image files

In an update that contains fixes for a total of 19 documented vulnerabilities, Apple said malicious hackers could rig PNG (Portable Network Graphics) and other images to take complete control of unpatched Mac systems.

Here's the skinny on the image-related vulnerabilities fixed in Security Update 2009-003:

• CVE-2009-1728 -- A stack buffer overflow exists in the handling of Canon RAW images. Viewing a maliciously crafted Canon RAW image may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-1722 -- A heap buffer overflow exists in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-1721 -- An uninitialized memory access issue exists in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-1720 -- Multiple integer overflows exist in ImageIO's handling of OpenEXR images. Viewing a maliciously crafted OpenEXR image may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-2188 -- A buffer overflow exists in ImageIO's handling of EXIF metadata. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-0040 -- An uninitialized pointer issue exists in the handling of PNG images. Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution.

The update also fixes serious security flaws in ColorSync, kernel, CoreTypes and Networking.

* Image source: charliekwalker’s Flickr photostream (Creative Commons 2.0)