November 10th, 2008
Apple ships patch for iLife security flaws
Apple has shipped a major iLife security update to fix three documented vulnerabilities that could expose Mac OS X users to arbitrary code execution attacks.
The flaws patched with the new iLife Support 8.3.1 could be exploited via specially crafted TIFF or JPEG images, Apple warned in an advisory.
Some raw details:
- CVE-2008-2327: (iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11) Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This flaw was discovered internally by Apple’s security team.
- CVE-2008-2332: (iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11) A memory corruption issue exits in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Robert Swiecki of Google Security Team is credited with finding and reporting this vulnerability.
- CVE-2008-3608: (iLife 8.0 or Aperture 2, on Mac OS v10.4.9 through v10.4.11) A memory corruption issue exists in ImageIO’s handling of embedded ICC profiles in JPEG images. Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. This bug was discovered internally by Apple’s security team.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
