Filed under: iTunes, Software Update, iPhone, iPod touch
iTunes 8.2 in Software Update, supports iPhone 3.0; QuickTime & GarageBand also patched
iTunes 8.2 just became available in Software Update. According to the update notes, "iTunes 8.2 now supports iPhone or iPod touch with the iPhone 3.0 Software Update. iTunes 8.2 also includes many accessibility improvements and bug fixes." The update weighs in at 79.3 MB.
QuickTime 7.6.2 and GarageBand Update 5.0.2 also became available at the same time. In keeping with Apple's policy of full disclosure, there's not much information for users about what's in either of the updates, although subscribers to Apple's security notification list got an email with a list of 10 fixed vulnerabilities in the QT update (soon to be posted at Apple's security site and reproduced in the second half of this post).
The GarageBand update "addresses general compatibility issues, improves overall stability, and fixes a number of other minor issues [including] Improved purchasing experience for Artist Lessons in the GarageBand Lesson Store [&] Accessing installed Jam Packs in the loop browser." The update is required if you are purchasing lessons from the Lesson Store.
The iTunes update is one more clear sign that iPhone 3.0 is just around the corner. Be sure to stay tuned to our coverage of the Apple Worldwide Developer Conference next week for all your iPhone news!
The GarageBand update "addresses general compatibility issues, improves overall stability, and fixes a number of other minor issues [including] Improved purchasing experience for Artist Lessons in the GarageBand Lesson Store [&] Accessing installed Jam Packs in the loop browser." The update is required if you are purchasing lessons from the Lesson Store.
The iTunes update is one more clear sign that iPhone 3.0 is just around the corner. Be sure to stay tuned to our coverage of the Apple Worldwide Developer Conference next week for all your iPhone news!
APPLE-SA-2009-06-01-1 QuickTime 7.6.2
QuickTime 7.6.2 is now available and addresses the following:
QuickTime
CVE-ID: CVE-2009-0188
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's
handling of Sorenson 3 video files. This may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of Sorenson 3
video files. Credit to Carsten Eiram of Secunia Research for
reporting this issue.
QuickTime
CVE-ID: CVE-2009-0951
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted FLC compression file may lead
to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of FLC
compression files. Opening a maliciously crafted FLC compression file
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0952
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a maliciously crafted PSD image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow may occur while processing a
compressed PSD image. Opening a maliciously crafted compressed PSD
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
bounds checking. Credit to Damian Put working with TippingPoint's
Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0010
Available for: Windows Vista and XP SP3
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer underflow in QuickTime's handling of PICT
images may result in a heap buffer overflow. Opening a maliciously
crafted PICT file may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by
performing additional validation of PICT images. Credit to Sebastian
Apelt working with TippingPoint's Zero Day Initiative, and Chris Ries
of Carnegie Mellon University Computing Services for reporting this
issue.
QuickTime
CVE-ID: CVE-2009-0953
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of PICT images. Opening a maliciously crafted PICT file may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue by performing additional validation
of PICT images. Credit to Sebastian Apelt working with TippingPoint's
Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0954
Available for: Windows Vista and XP SP3
Impact: Opening a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of Clipping Region (CRGN) atom types in a movie file. Opening a
maliciously crafted movie file may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved bounds checking. This issue does not affect
Mac OS X systems. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0185
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of MS
ADPCM encoded audio data. Viewing a maliciously crafted movie file
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to Alin Rad Pop of Secunia Research for reporting
this issue.
QuickTime
CVE-ID: CVE-2009-0955
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted video file may lead to an
unexpected application termination or arbitrary code execution
Description: A sign extension issue exists in QuickTime's handling
of image description atoms. Opening a maliciously crafted Apple video
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
validation of description atoms. Credit to Roee Hay of IBM Rational
Application Security Research Group for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0956
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a movie file with a maliciously crafted user data
atom may lead to an unexpected application termination or arbitrary
code execution
Description: An uninitialized memory access issue exists in
QuickTime's handling of movie files. Viewing a movie file with a zero
user data atom size may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by
performing additional validation of movie files, and presenting a
warning dialog to the user. Credit to Lurene Grenier of Sourcefire,
Inc. (VRT) for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0957
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of JP2 images. Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit
to Charlie Miller of Independent Security Evaluators, and Damian Put
working with TippingPoint's Zero Day Initiative for reporting this
issue.
QuickTime 7.6.2 is now available and addresses the following:
QuickTime
CVE-ID: CVE-2009-0188
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's
handling of Sorenson 3 video files. This may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of Sorenson 3
video files. Credit to Carsten Eiram of Secunia Research for
reporting this issue.
QuickTime
CVE-ID: CVE-2009-0951
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted FLC compression file may lead
to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of FLC
compression files. Opening a maliciously crafted FLC compression file
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0952
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a maliciously crafted PSD image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow may occur while processing a
compressed PSD image. Opening a maliciously crafted compressed PSD
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
bounds checking. Credit to Damian Put working with TippingPoint's
Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0010
Available for: Windows Vista and XP SP3
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer underflow in QuickTime's handling of PICT
images may result in a heap buffer overflow. Opening a maliciously
crafted PICT file may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by
performing additional validation of PICT images. Credit to Sebastian
Apelt working with TippingPoint's Zero Day Initiative, and Chris Ries
of Carnegie Mellon University Computing Services for reporting this
issue.
QuickTime
CVE-ID: CVE-2009-0953
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of PICT images. Opening a maliciously crafted PICT file may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue by performing additional validation
of PICT images. Credit to Sebastian Apelt working with TippingPoint's
Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0954
Available for: Windows Vista and XP SP3
Impact: Opening a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of Clipping Region (CRGN) atom types in a movie file. Opening a
maliciously crafted movie file may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved bounds checking. This issue does not affect
Mac OS X systems. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0185
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of MS
ADPCM encoded audio data. Viewing a maliciously crafted movie file
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to Alin Rad Pop of Secunia Research for reporting
this issue.
QuickTime
CVE-ID: CVE-2009-0955
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted video file may lead to an
unexpected application termination or arbitrary code execution
Description: A sign extension issue exists in QuickTime's handling
of image description atoms. Opening a maliciously crafted Apple video
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
validation of description atoms. Credit to Roee Hay of IBM Rational
Application Security Research Group for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0956
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a movie file with a maliciously crafted user data
atom may lead to an unexpected application termination or arbitrary
code execution
Description: An uninitialized memory access issue exists in
QuickTime's handling of movie files. Viewing a movie file with a zero
user data atom size may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by
performing additional validation of movie files, and presenting a
warning dialog to the user. Credit to Lurene Grenier of Sourcefire,
Inc. (VRT) for reporting this issue.
QuickTime
CVE-ID: CVE-2009-0957
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of JP2 images. Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit
to Charlie Miller of Independent Security Evaluators, and Damian Put
working with TippingPoint's Zero Day Initiative for reporting this
issue.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Zoopra9457 said 4:37PM on 6-01-2009
I'm guessing it also "no longer supports the Palm Pre"
Reply
kdfwagen said 8:31PM on 6-01-2009
yeah that should be interesting to see if the palm pre still works.
iBearTouch said 4:42PM on 6-01-2009
Well I guess we are a week away from some serious 3.0 action...hip hip huzzah
Reply
Bob123321 said 4:42PM on 6-01-2009
Remember when people hated how microsoft released patches every week? They can't just group them and do it all at once like everyone else does?
Reply
antiorario said 4:59PM on 6-01-2009
Who is "everyone else," in this context?
antiorario said 5:00PM on 6-01-2009
By the way, you can choose to have Software Update check for new software once a month, if it suits you better.
redking31591 said 4:54PM on 6-01-2009
They didn't remove the blue-ray reference. That must mean blue ray really is in the works and wasn't a mistake.
Reply
Stephen.4 said 5:10PM on 6-01-2009
First thing I checked too. I knew it wasn't just a mistake, Apple would have Blu-ray eventually.
martian said 5:33PM on 6-01-2009
Odd.
Software update check downloaded the Garage Band update from "creative.ak.facebook.com.edgesuite.net" - what's facebook got to do with my software update check?
Anyone out there who can reproduce this?
Reply
alanghorn said 5:49PM on 6-01-2009
They're either using EdgeSuite's CDN and EdgeSuite have put their files on Facebook's patch for some reason, probably mistakenly.
Or Apple are working with Facebook to produce something to do with GarageBand integration.
Ed said 7:10PM on 6-01-2009
Could just be reverse DNS being misleading. If multiple websites share the same IP (as they might with a content network like edge) a reverse DNS will give a random name... Just a guess?
esposimi said 9:35PM on 6-01-2009
This is not uncommon, in fact, when downloading video podcasts, my Little Snitch HUD often shows iTunes downloading them from something with a MySpace reference.
dizzy said 5:43PM on 6-01-2009
The latest beta from the iPhone developer site doesn't match this version number? 8.2.0 vs 8.2.10
Reply
Michael said 6:01PM on 6-01-2009
I didn't have an iTunes update when I check, although I did have the others. Weird. I am running 8.2b10 (13).
Reply
schroef said 6:23PM on 6-01-2009
I'va had the beta of iTunes 8.2 for a while now. And the update doesnt appear in SU. So I guess they didn't change anything.
Reply
Dan Woods said 6:54PM on 6-01-2009
8.2b10 (13) didn't support customised Carrier files (unlike 8.2b7 (10)).
Has anyone tried uploading custom Carriers to 8.2 yet?
mark said 6:23PM on 6-01-2009
Can't believe we had to go more than 11 replies for someone to ask something really important: how does this affect jailbreakers?
Reply
imode said 8:36PM on 6-01-2009
since jailbreakers probably make up < %1 of iTunes users it might take more than 11 replies... So I'll bite... I have a jailbroken iPhone and run iTunes 8.2 and I am not "affected". So what is your specific question?
G said 8:55PM on 6-01-2009
It looks like iTunes 8.2 once again remembers custom-set columns, column widths, and sorting inside the store (search, see more, Plus upgrade page, etc.). I had just sent feedback about this last week, for the second time since version 8 hit. Nice relief to a mildly annoying bug and/or feature.
Reply
ddub said 9:01PM on 6-01-2009
there haven't been any decent feature additions to itunes since they invented the store.
compared to other management software, taggers etc it's lightweight. Well except with respect to the resources it hogs. wish they'd actually improve it for once.
Reply