LiewCF.com

Quick Bugs

Apple on Wednesday released an update for QuickTime versions 6.5.2 and earlier, fixing an integer overflow which the company said could be exploited via an HTML Web page. U.K.-based Next Generation Security Software, which discovered the flaw, said it would withhold the specifics of the bug for three months, giving time for users to apply the patch. The bug affects Windows XP, 2000, ME, and 98, Apple said.

At the same time, Apple fixed an older QuickTime flaw that could allow an attacker to embed malicious code in a bitmap image. The new fix extends the patch to more system configurations, Apple said. A third patch fixes a less serious security bug in Apple Remote Desktop.

Real Problems

Meanwhile, Next Generation Security Software’s John Heasman and eEye Digital Security’s Yuji Ukai both claimed to have discovered a flaw in Windows versions of RealPlayer that allows the execution of malicious code during the decompression of skin files. The bug, patched by RealNetworks on Tuesday, is a buffer overflow in a third-party library called dunzip32.dll, used by RealPlayer to decompress the skin file.

An attacker could cause the player to automatically download and install a skin file (with the .rjs extension) via a Web browser without the user’s permission, then use the dunzip32.dll bug to run malicious code on the desktop, eEye said in an advisory.

The bug affects Windows versions of RealPlayer 10.5 (6.0.12.1053 and earlier), RealPlayer 10, and RealOne Player versions 1 and 2.

[ Read PCWord.com ]

Read also:

• RealNetwork Patches RealPlayer Critical Flaws
• More Big Security Holes in Linux
• Security update patch out for Japanese PSPs
• RealPlayer On Linux and Mac OS X
• China Hackers Spread RealPlayer Media Files with Virus Embedded