iTunes 8.2 in Software Update, supports iPhone 3.0; QuickTime & GarageBand also patched

iTunes 8.2 just became available in Software Update. According to the update notes, "iTunes 8.2 now supports iPhone or iPod touch with the iPhone 3.0 Software Update. iTunes 8.2 also includes many accessibility improvements and bug fixes." The update weighs in at 79.3 MB.

QuickTime 7.6.2 and GarageBand Update 5.0.2 also became available at the same time. In keeping with Apple's policy of full disclosure, there's not much information for users about what's in either of the updates, although subscribers to Apple's security notification list got an email with a list of 10 fixed vulnerabilities in the QT update (soon to be posted at Apple's security site and reproduced in the second half of this post).

The GarageBand update "addresses general compatibility issues, improves overall stability, and fixes a number of other minor issues [including] Improved purchasing experience for Artist Lessons in the GarageBand Lesson Store [&] Accessing installed Jam Packs in the loop browser." The update is required if you are purchasing lessons from the Lesson Store.

The iTunes update is one more clear sign that iPhone 3.0 is just around the corner. Be sure to stay tuned to our coverage of the Apple Worldwide Developer Conference next week for all your iPhone news!APPLE-SA-2009-06-01-1 QuickTime 7.6.2

QuickTime 7.6.2 is now available and addresses the following:

QuickTime
CVE-ID: CVE-2009-0188
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's
handling of Sorenson 3 video files. This may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of Sorenson 3
video files. Credit to Carsten Eiram of Secunia Research for
reporting this issue.

QuickTime
CVE-ID: CVE-2009-0951
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted FLC compression file may lead
to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of FLC
compression files. Opening a maliciously crafted FLC compression file
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2009-0952
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a maliciously crafted PSD image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow may occur while processing a
compressed PSD image. Opening a maliciously crafted compressed PSD
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
bounds checking. Credit to Damian Put working with TippingPoint's
Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2009-0010
Available for: Windows Vista and XP SP3
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer underflow in QuickTime's handling of PICT
images may result in a heap buffer overflow. Opening a maliciously
crafted PICT file may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by
performing additional validation of PICT images. Credit to Sebastian
Apelt working with TippingPoint's Zero Day Initiative, and Chris Ries
of Carnegie Mellon University Computing Services for reporting this
issue.

QuickTime
CVE-ID: CVE-2009-0953
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of PICT images. Opening a maliciously crafted PICT file may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue by performing additional validation
of PICT images. Credit to Sebastian Apelt working with TippingPoint's
Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2009-0954
Available for: Windows Vista and XP SP3
Impact: Opening a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of Clipping Region (CRGN) atom types in a movie file. Opening a
maliciously crafted movie file may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved bounds checking. This issue does not affect
Mac OS X systems. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2009-0185
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of MS
ADPCM encoded audio data. Viewing a maliciously crafted movie file
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to Alin Rad Pop of Secunia Research for reporting
this issue.

QuickTime
CVE-ID: CVE-2009-0955
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Opening a maliciously crafted video file may lead to an
unexpected application termination or arbitrary code execution
Description: A sign extension issue exists in QuickTime's handling
of image description atoms. Opening a maliciously crafted Apple video
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue through improved
validation of description atoms. Credit to Roee Hay of IBM Rational
Application Security Research Group for reporting this issue.

QuickTime
CVE-ID: CVE-2009-0956
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a movie file with a maliciously crafted user data
atom may lead to an unexpected application termination or arbitrary
code execution
Description: An uninitialized memory access issue exists in
QuickTime's handling of movie files. Viewing a movie file with a zero
user data atom size may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue by
performing additional validation of movie files, and presenting a
warning dialog to the user. Credit to Lurene Grenier of Sourcefire,
Inc. (VRT) for reporting this issue.

QuickTime
CVE-ID: CVE-2009-0957
Available for: Mac OS X v10.4.11, Mac OS X v10.5.7,
Windows Vista and XP SP3
Impact: Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling
of JP2 images. Viewing a maliciously crafted JP2 image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit
to Charlie Miller of Independent Security Evaluators, and Damian Put
working with TippingPoint's Zero Day Initiative for reporting this
issue.
Share