Apple releases patches for dangerous QuickTime flaws in Apple TV 2.1 product

Apple released patches for its Apple TV 2.1 product yesterday. Some of you might be saying, why do I care, I don't use Apple TV. Well, if you do use Apple TV, you obviously should care as some of these are very serious flaws, but if you don't, you might still care because of the nature of the flaws patched for Apple TV.

These flaws were all released for disclosure quite some time ago and are just now being patched. Most were released three months ago, one was released last month, and two were released way back in January. What does that mean? Well, either Apple neglected to patch Apple TV, which might be the case as they recently neglected to patch the iPhone, OR more likely, Apple flaws in integrated applications like QuickTime are not getting looked for and patched on all Apple equipment, as researchers and possibly Apple may not realize how widespread applications like QuickTime are.

This is concerning. It's a tough problem for a vendor to tackle, but something I expect that Apple will be paying very close attention to going forward. Having a devastating QuickTime flaw un-patched for that long is pretty dangerous, as by this time, proof of concept code for exploit has probably been known about for quite some time.

Read on for more...

Have a look at these flaws from Apple's support site. I've included with them the date that they were originally reported to the security community (as determined by the National Vulnerability Database repository):

CVE-ID: CVE-2008-1015 Date originally reported: 4/4/2008

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: An issue in the handling of data reference atoms may result in a buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of data reference atoms. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.

CVE-ID: CVE-2008-1017 Date originally reported: 4/4/2008

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: An issue in the parsing of 'crgn' atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Sanbin Li working with TippingPoint's Zero Day Initiative for reporting this issue.

CVE-ID: CVE-2008-1018 Date originally reported: 4/4/2008

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: An issue in the parsing of 'chan' atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

CVE-ID: CVE-2008-1585 Date originally reported: 6/10/2008

Impact: Playing maliciously crafted QuickTime content may lead to arbitrary code execution

Description: A URL handling issue exists in the handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content. This update addresses the issue by no longer launching local applications and files. Credit to Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, and Petko D. (pdp) Petkov of GNUCITIZEN working with TippingPoint's Zero Day Initiative for reporting this issue.

CVE-ID: CVE-2008-0234 Date originally reported: 1/10/2008

Impact: Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow exists in the handling of HTTP responses when RTSP tunneling is enabled. Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

CVE-ID: CVE-2008-0036 Date originally reported: 1/15/2008

Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.