Apple released a new security update (2007-004 v1.1) revising an earlier update (2007-004) that addresses two bugs introduced with last week’s update. An update to Quicktime (7.1.6) for Windows and Mac users was also released that addresses two important zero-day QuickTime flaws that can affect security for both platforms. This flaw was recently used with Safari to hack a MacBook in a recent “hackers” conference. Both of these updates are for ALL users.
Security Update 2007-004 is recommended for all users and improves the security of the following components:
- AFP Client
- AirPort
- CarbonCore
- diskdev_cmds
- fetchmail
- ftpd
- gnutar
- Help Viewer
- HID Family
- Installer
- Kerberos
- Libinfo
- Login Window
- network_cmds
- SMB
- System Configuration
- URLMount
- Video Conference
- WebDAV
QuickTime 7.1.6 delivers numerous bug fixes, addresses a critical security issue with QuickTime for Java and includes support for Final Cut Studio 2 and Timecode and closed captioning display in QuickTime Player. Apple said the update is available for Mac OS X v10.3.9 and Mac OS X v10.4.9 as well as Windows XP SP2 and Windows 2000 SP4; the QuickTime update addresses a bug where visiting a malicious website may lead to arbitrary code execution: “An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution.”
These updates can be applied by running the OS X Software Update or visit the Apple website. Security Update download and Quicktime 7.1.6 update for Windows and Macs.
Apple also released the AirPort Extreme 2007-003 patch which is available through Mac OS X’s Software Update feature or for download, that updates WPA and WPA2 security for Intel-based Macs using an AirPort Extreme card. The update requires Mac OS X 10.4 or later and Intel-based hardware to run.
